Vulnerability-Lookup

CVE-2020-12048 (GCVE-0-2020-12048)

Vulnerability from cvelistv5 – Published: 2020-06-29 13:48 – Updated: 2024-08-04 11:48

Summary

Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool.

Severity ?

No CVSS data available.

CWE

CWE-319 - CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319

Assigner

icscert

References

URL

Tags

https://www.us-cert.gov/ics/advisories/icsma-20-170-03

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Baxter Phoenix Hemodialysis Delivery System	Affected: Phoenix Hemodialysis Delivery System SW 3.36 and 3.40

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:48:57.931Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Baxter Phoenix Hemodialysis Delivery System",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-29T13:48:04",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-12048",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Baxter Phoenix Hemodialysis Delivery System",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03",
              "refsource": "MISC",
              "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-12048",
    "datePublished": "2020-06-29T13:48:04",
    "dateReserved": "2020-04-21T00:00:00",
    "dateUpdated": "2024-08-04T11:48:57.931Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:baxter:phoenix_x36_firmware:3.36:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1809D598-FB9F-4D54-8B3F-119B3A549F05\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:baxter:phoenix_x36_firmware:3.40:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3B2F08A4-7907-400E-9D60-812A2F0BA929\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:baxter:phoenix_x36:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D4EE9264-DAE6-4010-A27E-DFA71C1CD165\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool.\"}, {\"lang\": \"es\", \"value\": \"Phoenix Hemodialysis Delivery System SW versiones 3.36 y 3.40, el dispositivo Phoenix Hemodialysis no admite el cifrado de datos en tr\\u00e1nsito (por ejemplo, TLS/SSL) al transmitir datos de tratamiento y prescripci\\u00f3n en la red entre el sistema Phoenix y la herramienta de gesti\\u00f3n de datos de di\\u00e1lisis Exalis. Un atacante con acceso a la red podr\\u00eda observar el tratamiento confidencial y los datos de prescripci\\u00f3n enviados entre el sistema Phoenix y la herramienta Exalis\"}]",
      "id": "CVE-2020-12048",
      "lastModified": "2024-11-21T04:59:10.710",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-06-29T14:15:11.990",
      "references": "[{\"url\": \"https://www.us-cert.gov/ics/advisories/icsma-20-170-03\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"https://www.us-cert.gov/ics/advisories/icsma-20-170-03\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-319\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-319\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-12048\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2020-06-29T14:15:11.990\",\"lastModified\":\"2024-11-21T04:59:10.710\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool.\"},{\"lang\":\"es\",\"value\":\"Phoenix Hemodialysis Delivery System SW versiones 3.36 y 3.40, el dispositivo Phoenix Hemodialysis no admite el cifrado de datos en tr\u00e1nsito (por ejemplo, TLS/SSL) al transmitir datos de tratamiento y prescripci\u00f3n en la red entre el sistema Phoenix y la herramienta de gesti\u00f3n de datos de di\u00e1lisis Exalis. Un atacante con acceso a la red podr\u00eda observar el tratamiento confidencial y los datos de prescripci\u00f3n enviados entre el sistema Phoenix y la herramienta Exalis\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-319\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-319\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:baxter:phoenix_x36_firmware:3.36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1809D598-FB9F-4D54-8B3F-119B3A549F05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:baxter:phoenix_x36_firmware:3.40:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B2F08A4-7907-400E-9D60-812A2F0BA929\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:baxter:phoenix_x36:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D4EE9264-DAE6-4010-A27E-DFA71C1CD165\"}]}]}],\"references\":[{\"url\":\"https://www.us-cert.gov/ics/advisories/icsma-20-170-03\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.us-cert.gov/ics/advisories/icsma-20-170-03\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
  }
}

ICSMA-20-170-03

Vulnerability from csaf_cisa - Published: 2020-06-18 00:00 - Updated: 2020-06-23 00:00

Summary

Baxter Phoenix Hemodialysis Delivery System (Update A)

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of this vulnerability could allow an attacker with unauthorized network access to view sensitive data.

Critical infrastructure sectors

Healthcare and Public Health

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target this vulnerability.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Baxter"
        ],
        "summary": "reporting this vulnerability to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow an attacker with unauthorized network access to view sensitive data.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Healthcare and Public Health",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage onus-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-20-170-03 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2020/icsma-20-170-03.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSMA-20-170-03 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-20-170-03"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.fda.gov/medical-devices/digital-health/cybersecurity"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Baxter Phoenix Hemodialysis Delivery System (Update A)",
    "tracking": {
      "current_release_date": "2020-06-23T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSMA-20-170-03",
      "initial_release_date": "2020-06-18T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2020-06-18T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSMA-20-170-03 Baxter Phoenix Hemodialysis Delivery System"
        },
        {
          "date": "2020-06-23T00:00:00.000000Z",
          "legacy_version": "A",
          "number": "2",
          "summary": "ICSMA-20-170-03 Baxter Phoenix Hemodialysis (Update A)"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.36 | 3.40",
                "product": {
                  "name": "Phoenix Hemodialysis Delivery System :SW 3.36 and 3.40",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Phoenix Hemodialysis Delivery System"
          }
        ],
        "category": "vendor",
        "name": "Baxter"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-12048",
      "cwe": {
        "id": "CWE-319",
        "name": "Cleartext Transmission of Sensitive Information"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool.CVE-2020-12048 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12048"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Baxter recommends users apply the following implementation guidance:",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Users should also identify, analyze, evaluate, and control all risks associated with integration of medical devices in an enterprise network. Subsequent changes to the enterprise network could introduce new risks and require new analysis.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "For additional information please see the Baxter Product Security Bulletin.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.baxter.com/product-security#additionalresources"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}

FKIE_CVE-2020-12048

Vulnerability from fkie_nvd - Published: 2020-06-29 14:15 - Updated: 2024-11-21 04:59

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	ics-cert@hq.dhs.gov	https://www.us-cert.gov/ics/advisories/icsma-20-170-03	Third Party Advisory, US Government Resource
	af854a3a-2127-422b-91ae-364da2661108	https://www.us-cert.gov/ics/advisories/icsma-20-170-03	Third Party Advisory, US Government Resource

Impacted products

Vendor	Product	Version
baxter	phoenix_x36_firmware	3.36
baxter	phoenix_x36_firmware	3.40
baxter	phoenix_x36	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:baxter:phoenix_x36_firmware:3.36:*:*:*:*:*:*:*",
              "matchCriteriaId": "1809D598-FB9F-4D54-8B3F-119B3A549F05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:baxter:phoenix_x36_firmware:3.40:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B2F08A4-7907-400E-9D60-812A2F0BA929",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:baxter:phoenix_x36:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4EE9264-DAE6-4010-A27E-DFA71C1CD165",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool."
    },
    {
      "lang": "es",
      "value": "Phoenix Hemodialysis Delivery System SW versiones 3.36 y 3.40, el dispositivo Phoenix Hemodialysis no admite el cifrado de datos en tr\u00e1nsito (por ejemplo, TLS/SSL) al transmitir datos de tratamiento y prescripci\u00f3n en la red entre el sistema Phoenix y la herramienta de gesti\u00f3n de datos de di\u00e1lisis Exalis. Un atacante con acceso a la red podr\u00eda observar el tratamiento confidencial y los datos de prescripci\u00f3n enviados entre el sistema Phoenix y la herramienta Exalis"
    }
  ],
  "id": "CVE-2020-12048",
  "lastModified": "2024-11-21T04:59:10.710",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-06-29T14:15:11.990",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2021-21082

Vulnerability from cnvd - Published: 2021-03-23

Title

Baxter Phoenix Hemodialysis Delivery System信息泄露漏洞

Description

Baxter Phoenix Hemodialysis Delivery System是美国百特（Baxter）公司的一款血液透析设备。 Baxter Phoenix Hemodialysis Delivery System SW 3.36版本和3.40版本中存在信息泄露漏洞，该漏洞源于在Phoenix系统和Exalis透析数据管理工具之间的网络上传输治疗和处方数据时，Phoenix Hemodialysis未支持传输数据的加密，攻击者可利用该漏洞获取Phoenix系统与Exalis工具之间发送的敏感治疗和处方数据。

Severity

中

Formal description

厂商尚未提供漏洞修补方案，请关注厂商主页及时更新： https://www.baxter.com/

Reference

https://www.us-cert.gov/ics/advisories/icsma-20-170-03

Impacted products

Name
['Baxter Phoenix Hemodialysis Delivery System SW 3.36', 'Baxter Phoenix Hemodialysis Delivery System SW 3.40']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-12048"
    }
  },
  "description": "Baxter Phoenix Hemodialysis Delivery System\u662f\u7f8e\u56fd\u767e\u7279\uff08Baxter\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u8840\u6db2\u900f\u6790\u8bbe\u5907\u3002\n\nBaxter Phoenix Hemodialysis Delivery System SW 3.36\u7248\u672c\u548c3.40\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728Phoenix\u7cfb\u7edf\u548cExalis\u900f\u6790\u6570\u636e\u7ba1\u7406\u5de5\u5177\u4e4b\u95f4\u7684\u7f51\u7edc\u4e0a\u4f20\u8f93\u6cbb\u7597\u548c\u5904\u65b9\u6570\u636e\u65f6\uff0cPhoenix Hemodialysis\u672a\u652f\u6301\u4f20\u8f93\u6570\u636e\u7684\u52a0\u5bc6\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6Phoenix\u7cfb\u7edf\u4e0eExalis\u5de5\u5177\u4e4b\u95f4\u53d1\u9001\u7684\u654f\u611f\u6cbb\u7597\u548c\u5904\u65b9\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u8865\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u53ca\u65f6\u66f4\u65b0\uff1a\r\nhttps://www.baxter.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-21082",
  "openTime": "2021-03-23",
  "products": {
    "product": [
      "Baxter Phoenix Hemodialysis Delivery System SW 3.36",
      "Baxter Phoenix Hemodialysis Delivery System SW 3.40"
    ]
  },
  "referenceLink": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-19",
  "title": "Baxter Phoenix Hemodialysis Delivery System\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

GSD-2020-12048

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-12048

Aliases

CVE-2020-12048

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-12048",
    "description": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool.",
    "id": "GSD-2020-12048"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-12048"
      ],
      "details": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool.",
      "id": "GSD-2020-12048",
      "modified": "2023-12-13T01:21:49.760356Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "ID": "CVE-2020-12048",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Baxter Phoenix Hemodialysis Delivery System",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CLEARTEXT TRANSMISSION OF SENSITIVE DATA CWE-319"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03",
            "refsource": "MISC",
            "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:baxter:phoenix_x36_firmware:3.36:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:baxter:phoenix_x36_firmware:3.40:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:baxter:phoenix_x36:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-12048"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-319"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-07-16T13:12Z",
      "publishedDate": "2020-06-29T14:15Z"
    }
  }
}

GHSA-HVXQ-9HQC-3FQF

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-12048"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-29T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool.",
  "id": "GHSA-hvxq-9hqc-3fqf",
  "modified": "2022-05-24T17:22:00Z",
  "published": "2022-05-24T17:22:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12048"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

VAR-202006-0333

Vulnerability from variot - Updated: 2023-12-18 11:52

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202006-0333",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "phoenix x36",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "baxter",
        "version": "3.36"
      },
      {
        "model": "phoenix x36",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "baxter",
        "version": "3.40"
      },
      {
        "model": "phoenix hemodialysis delivery system sw",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "baxter",
        "version": "3.36"
      },
      {
        "model": "phoenix hemodialysis delivery system sw",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "baxter",
        "version": "3.40"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-21082"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007828"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12048"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:baxter:phoenix_x36_firmware:3.36:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:baxter:phoenix_x36_firmware:3.40:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:baxter:phoenix_x36:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-12048"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Baxter",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1238"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2020-12048",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 5.0,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-007828",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2021-21082",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 7.5,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-007828",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2020-12048",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2020-007828",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2021-21082",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202006-1238",
            "trust": 0.6,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-21082"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007828"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12048"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1238"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Phoenix Hemodialysis Delivery System SW 3.36 and 3.40, The Phoenix Hemodialysis device does not support data-in-transit encryption (e.g., TLS/SSL) when transmitting treatment and prescription data on the network between the Phoenix system and the Exalis dialysis data management tool. An attacker with access to the network could observe sensitive treatment and prescription data sent between the Phoenix system and the Exalis tool",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-12048"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007828"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-21082"
      }
    ],
    "trust": 2.16
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-12048",
        "trust": 3.0
      },
      {
        "db": "ICS CERT",
        "id": "ICSMA-20-170-03",
        "trust": 3.0
      },
      {
        "db": "JVN",
        "id": "JVNVU91499991",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007828",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-21082",
        "trust": 0.6
      },
      {
        "db": "NSFOCUS",
        "id": "47297",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1238",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-21082"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007828"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12048"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1238"
      }
    ]
  },
  "id": "VAR-202006-0333",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-21082"
      }
    ],
    "trust": 1.6
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "IoT"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-21082"
      }
    ]
  },
  "last_update_date": "2023-12-18T11:52:16.181000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "PHOENIX X36",
        "trust": 0.8,
        "url": "https://econnect.baxter.com/assets/downloads/products_expertise/renal_therapies/phoenix_x36_brochure_final.pdf"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007828"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-319",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007828"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12048"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.0,
        "url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-03"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-12048"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12048"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu91499991/"
      },
      {
        "trust": 0.6,
        "url": "http://www.nsfocus.net/vulndb/47297"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-21082"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007828"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12048"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1238"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-21082"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007828"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-12048"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1238"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-03-23T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-21082"
      },
      {
        "date": "2020-08-27T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-007828"
      },
      {
        "date": "2020-06-29T14:15:11.990000",
        "db": "NVD",
        "id": "CVE-2020-12048"
      },
      {
        "date": "2020-06-18T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202006-1238"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-03-23T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-21082"
      },
      {
        "date": "2020-08-27T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-007828"
      },
      {
        "date": "2020-07-16T13:12:20.120000",
        "db": "NVD",
        "id": "CVE-2020-12048"
      },
      {
        "date": "2020-07-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202006-1238"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1238"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Phoenix Hemodialysis Delivery System SW Vulnerability in plaintext transmission of important information in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-007828"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "other",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-1238"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-12048 (GCVE-0-2020-12048)

ICSMA-20-170-03

FKIE_CVE-2020-12048

CNVD-2021-21082

GSD-2020-12048

GHSA-HVXQ-9HQC-3FQF

VAR-202006-0333

Tags

Sightings

Nomenclature