Vulnerability Description
Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/python/.ssh directory.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Digi | Connectport X2E Firmware | < 3.2.30.6 |
| Digi | Connectport X2E | - |
Related Weaknesses (CWE)
References
- https://github.com/fireeye/Vulnerability-DisclosuresThird Party Advisory
- https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2020-0020/ExploitThird Party Advisory
- https://www.digi.com/support/productdetail?pid=5570Release NotesVendor Advisory
- https://github.com/fireeye/Vulnerability-DisclosuresThird Party Advisory
- https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2020-0020/ExploitThird Party Advisory
- https://www.digi.com/support/productdetail?pid=5570Release NotesVendor Advisory
FAQ
What is CVE-2020-12878?
CVE-2020-12878 is a vulnerability with a CVSS score of 7.8 (HIGH). Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/pyt...
How severe is CVE-2020-12878?
CVE-2020-12878 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-12878?
Check the references section above for vendor advisories and patch information. Affected products include: Digi Connectport X2E Firmware, Digi Connectport X2E.