Vulnerabilities > CVE-2019-14473 - Missing Authorization vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

eq-3

CWE-862

NVD

Published: 2019-08-06

Updated: 2020-08-24

Summary

eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but lack authorization checks. Consequently, a valid guest level or user level account can create a new admin level account, read the service messages, clear the system protocol or modify/delete internal programs, etc. pp.

Vulnerable Configurations

Part	Description	Count
OS	Eq-3 EQ 3 Ccu2 Firmware * EQ 3 Ccu3 Firmware 2.15.5 EQ 3 Ccu3 Firmware 2.17.15 EQ 3 Ccu3 Firmware 2.19.9 EQ 3 Ccu3 Firmware 2.19.9-1 EQ 3 Ccu3 Firmware 2.21.10 EQ 3 Ccu3 Firmware 2.25.12 EQ 3 Ccu3 Firmware 2.25.15 EQ 3 Ccu3 Firmware 2.27.7 EQ 3 Ccu3 Firmware 2.27.8 EQ 3 Ccu3 Firmware 2.27.8-1 EQ 3 Ccu3 Firmware 2.29.22 EQ 3 Ccu3 Firmware 2.29.22-1 EQ 3 Ccu3 Firmware 2.31.23 EQ 3 Ccu3 Firmware 2.31.25 EQ 3 Ccu3 Firmware 2.35.16 EQ 3 Ccu3 Firmware 3.37.8 EQ 3 Ccu3 Firmware 3.41.7 EQ 3 Ccu3 Firmware 3.41.11 EQ 3 Ccu3 Firmware 3.43.15	20
Hardware	Eq-3 EQ 3 Ccu2 - EQ 3 Ccu3 -	2

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://psytester.github.io/CVE-2019-14473