Vulnerabilities > CVE-2019-14475 - Missing Authorization vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

eq-3

CWE-862

NVD

Published: 2019-08-05

Updated: 2020-08-24

Summary

eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID from CVE-2019-9583, resulting in the ability to read the service messages, clear the system protocol, create a new user in the system, or modify/delete internal programs.

Vulnerable Configurations

Part	Description	Count
OS	Eq-3 EQ 3 Ccu2 Firmware - EQ 3 Ccu2 Firmware 2.3.17 EQ 3 Ccu2 Firmware 2.3.18 EQ 3 Ccu2 Firmware 2.5.4 EQ 3 Ccu2 Firmware 2.7.8 EQ 3 Ccu2 Firmware 2.7.16 EQ 3 Ccu2 Firmware 2.7.17 EQ 3 Ccu2 Firmware 2.9.10 EQ 3 Ccu2 Firmware 2.9.12 EQ 3 Ccu2 Firmware 2.11.6 EQ 3 Ccu2 Firmware 2.11.9 EQ 3 Ccu2 Firmware 2.13.7 EQ 3 Ccu2 Firmware 2.15.2 EQ 3 Ccu2 Firmware 2.15.5 EQ 3 Ccu2 Firmware 2.17.14 EQ 3 Ccu2 Firmware 2.17.15 EQ 3 Ccu2 Firmware 2.17.16 EQ 3 Ccu2 Firmware 2.19.9 EQ 3 Ccu2 Firmware 2.21.10 EQ 3 Ccu2 Firmware 2.25.12 EQ 3 Ccu2 Firmware 2.25.14 EQ 3 Ccu2 Firmware 2.25.15 EQ 3 Ccu2 Firmware 2.27.7 EQ 3 Ccu2 Firmware 2.27.8 EQ 3 Ccu2 Firmware 2.29.18 EQ 3 Ccu2 Firmware 2.29.19 EQ 3 Ccu2 Firmware 2.29.22 EQ 3 Ccu2 Firmware 2.29.23 EQ 3 Ccu2 Firmware 2.31.23 EQ 3 Ccu2 Firmware 2.31.25 EQ 3 Ccu2 Firmware 2.35.15 EQ 3 Ccu2 Firmware 2.35.16 EQ 3 Ccu2 Firmware 2.41.5 EQ 3 Ccu2 Firmware 2.41.8 EQ 3 Ccu2 Firmware 2.41.9 EQ 3 Ccu3 Firmware 2.15.5 EQ 3 Ccu3 Firmware 2.17.15 EQ 3 Ccu3 Firmware 2.19.9 EQ 3 Ccu3 Firmware 2.19.9-1 EQ 3 Ccu3 Firmware 2.21.10 EQ 3 Ccu3 Firmware 2.25.12 EQ 3 Ccu3 Firmware 2.25.15 EQ 3 Ccu3 Firmware 2.27.7 EQ 3 Ccu3 Firmware 2.27.8 EQ 3 Ccu3 Firmware 2.27.8-1 EQ 3 Ccu3 Firmware 2.29.22 EQ 3 Ccu3 Firmware 2.29.22-1 EQ 3 Ccu3 Firmware 2.31.23 EQ 3 Ccu3 Firmware 2.31.25 EQ 3 Ccu3 Firmware 2.35.16 EQ 3 Ccu3 Firmware 3.37.8 EQ 3 Ccu3 Firmware 3.41.7 EQ 3 Ccu3 Firmware 3.41.11 EQ 3 Ccu3 Firmware 3.43.15 EQ 3 Ccu3 Firmware 3.43.16	55
Hardware	Eq-3 EQ 3 Ccu2 - EQ 3 Ccu3 -	2

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://psytester.github.io/CVE-2019-14475