CVE-2020-14504 - Vulnerability Details - OpenCVE

The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Rockwellautomation	1734-aentr Point I\/o Dual Port Network Adaptor Series B 1734-aentr Point I\/o Dual Port Network Adaptor Series B Firmware 1734-aentr Point I\/o Dual Port Network Adaptor Series C 1734-aentr Point I\/o Dual Port Network Adaptor Series C Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:rockwellautomation:1734-aentr_point_i\/o_dual_port_network_adaptor_series_b_firmware::::::::
	cpe:2.3:o:rockwellautomation:1734-aentr_point_i\/o_dual_port_network_adaptor_series_b_firmware::::::::

cpe:2.3:h:rockwellautomation:1734-aentr_point_i\/o_dual_port_network_adaptor_series_b:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:o:rockwellautomation:1734-aentr_point_i\/o_dual_port_network_adaptor_series_c_firmware:6.011:::::::*
	cpe:2.3:o:rockwellautomation:1734-aentr_point_i\/o_dual_port_network_adaptor_series_c_firmware:6.012:::::::*

cpe:2.3:h:rockwellautomation:1734-aentr_point_i\/o_dual_port_network_adaptor_series_c:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01

History

Thu, 17 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-02-24T18:26:56.514Z

Updated: 2025-04-17T18:48:19.175Z

Reserved: 2020-06-19T00:00:00.000Z

Link: CVE-2020-14504

Vulnrichment

Updated: 2024-08-04T12:46:34.627Z

NVD

Status : Modified

Published: 2022-02-24T19:15:08.943

Modified: 2025-04-17T19:15:50.580

Link: CVE-2020-14504

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "1734-AENTR", "vendor": "Rockwell Automation", "versions": [{"status": "affected", "version": "Series B 4.001 to 4.005, and 5.011 to 5.017"}, {"status": "affected", "version": "Series C 6.011 and 6.012"}]}], "datePublic": "2021-03-04T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-24T18:26:56.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-03-04T17:00:00.000Z", "ID": "CVE-2020-14504", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "1734-AENTR", "version": {"version_data": [{"version_affected": "=", "version_name": "Series B", "version_value": "4.001 to 4.005, and 5.011 to 5.017"}, {"version_affected": "=", "version_name": "Series C", "version_value": "6.011 and 6.012"}]}}]}, "vendor_name": "Rockwell Automation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:46:34.627Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "CWE-287 Improper Authentication"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-17T17:52:12.840205Z", "id": "CVE-2020-14504", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T18:48:19.175Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-14504", "datePublished": "2022-02-24T18:26:56.514Z", "dateReserved": "2020-06-19T00:00:00.000Z", "dateUpdated": "2025-04-17T18:48:19.175Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:46:34.627Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2020-14504", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-17T17:52:12.840205Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T17:52:28.269Z"}}], "cna": {"source": {"discovery": "EXTERNAL"}, "affected": [{"vendor": "Rockwell Automation", "product": "1734-AENTR", "versions": [{"status": "affected", "version": "Series B 4.001 to 4.005, and 5.011 to 5.017"}, {"status": "affected", "version": "Series C 6.011 and 6.012"}]}], "datePublic": "2021-03-04T00:00:00.000Z", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-02-24T18:26:56.000Z"}, "x_legacyV4Record": {"source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "Series B", "version_value": "4.001 to 4.005, and 5.011 to 5.017", "version_affected": "="}, {"version_name": "Series C", "version_value": "6.011 and 6.012", "version_affected": "="}]}, "product_name": "1734-AENTR"}]}, "vendor_name": "Rockwell Automation"}]}}, "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-14504", "STATE": "PUBLIC", "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-03-04T17:00:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2020-14504", "state": "PUBLISHED", "dateUpdated": "2025-04-17T18:48:19.175Z", "dateReserved": "2020-06-19T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-02-24T18:26:56.514Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:rockwellautomation:1734-aentr_point_i\\/o_dual_port_network_adaptor_series_b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC7EE03C-DA81-40CC-B522-8483E5481DCB", "versionEndIncluding": "4.005", "versionStartIncluding": "4.001", "vulnerable": true}, {"criteria": "cpe:2.3:o:rockwellautomation:1734-aentr_point_i\\/o_dual_port_network_adaptor_series_b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "593FCDBB-E5D0-4E57-B10C-3FA3C72CDD75", "versionEndIncluding": "5.017", "versionStartIncluding": "5.011", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:rockwellautomation:1734-aentr_point_i\\/o_dual_port_network_adaptor_series_b:-:*:*:*:*:*:*:*", "matchCriteriaId": "EAD4BA02-28F4-4138-9E52-C12042DD997C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:rockwellautomation:1734-aentr_point_i\\/o_dual_port_network_adaptor_series_c_firmware:6.011:*:*:*:*:*:*:*", "matchCriteriaId": "B44E467A-31EE-46BE-82AA-101C7C2EDC7A", "vulnerable": true}, {"criteria": "cpe:2.3:o:rockwellautomation:1734-aentr_point_i\\/o_dual_port_network_adaptor_series_c_firmware:6.012:*:*:*:*:*:*:*", "matchCriteriaId": "46D0F84C-6F68-4E2D-99AF-FA9E0682A24C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:rockwellautomation:1734-aentr_point_i\\/o_dual_port_network_adaptor_series_c:-:*:*:*:*:*:*:*", "matchCriteriaId": "490F9ECB-1303-4457-9D20-8ADAC160AF6C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request that may allow for modification of the configuration settings."}, {"lang": "es", "value": "La interfaz web del m\u00f3dulo de comunicaci\u00f3n 1734-AENTR maneja inapropiadamente la autenticaci\u00f3n para las peticiones HTTP POST. Un atacante remoto no autenticado puede enviar una petici\u00f3n dise\u00f1ada que puede permitir la modificaci\u00f3n de los ajustes de configuraci\u00f3n"}], "id": "CVE-2020-14504", "lastModified": "2025-04-17T19:15:50.580", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-02-24T19:15:08.943", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-063-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Primary"}]}