CVE-2020-10274

The access tokens for the REST API are directly derived (sha256 and base64 encoding) from the publicly available default credentials from the Control Dashboard (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273 allows any attacker connected to the robot networks (wired or wireless) to exfiltrate all stored data (e.g. indoor mapping images) and associated metadata from the robot's database.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:mobile-industrial-robots:mir100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mobile-industrial-robots:mir100:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:mobile-industrial-robots:mir200_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:mobile-industrial-robots:mir200:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:mobile-industrial-robots:mir250_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:mobile-industrial-robots:mir250:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:mobile-industrial-robots:mir500_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:mobile-industrial-robots:mir500:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:mobile-industrial-robots:mir1000_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:mobile-industrial-robots:mir1000:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:easyrobotics:er200_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:easyrobotics:er200:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:easyrobotics:er-lite_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:easyrobotics:er-lite:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:easyrobotics:er-flex_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:easyrobotics:er-flex:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:easyrobotics:er-one_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:easyrobotics:er-one:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:uvd-robots:uvd_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:uvd-robots:uvd:-:*:*:*:*:*:*:*

History

21 Nov 2024, 04:55

Type Values Removed Values Added
References () https://github.com/aliasrobotics/RVD/issues/2556 - Third Party Advisory () https://github.com/aliasrobotics/RVD/issues/2556 - Third Party Advisory

14 Sep 2021, 17:19

Type Values Removed Values Added
CWE CWE-200 CWE-330

Information

Published : 2020-06-24 05:15

Updated : 2024-11-21 04:55


NVD link : CVE-2020-10274

Mitre link : CVE-2020-10274

CVE.ORG link : CVE-2020-10274


JSON object : View

Products Affected

easyrobotics

  • er-one_firmware
  • er-flex
  • er200_firmware
  • er200
  • er-lite_firmware
  • er-lite
  • er-one
  • er-flex_firmware

mobile-industrial-robots

  • mir1000_firmware
  • mir250_firmware
  • mir500_firmware
  • mir200
  • mir250
  • mir100_firmware
  • mir1000
  • mir100
  • mir500
  • mir200_firmware

uvd-robots

  • uvd_firmware
  • uvd
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-330

Use of Insufficiently Random Values