Vulnerabilities > CVE-2019-14475 - Missing Authorization vulnerability in Eq-3 Ccu2 Firmware and Ccu3 Firmware

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

eq-3

CWE-862

NVD

Published: 2019-08-05

Updated: 2020-08-24

Summary

eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID from CVE-2019-9583, resulting in the ability to read the service messages, clear the system protocol, create a new user in the system, or modify/delete internal programs.

Vulnerable Configurations

Part	Description	Count
OS	Eq-3 EQ 3 Ccu2 Firmware * EQ 3 Ccu3 Firmware 2.15.5 EQ 3 Ccu3 Firmware 2.17.15 EQ 3 Ccu3 Firmware 2.19.9 EQ 3 Ccu3 Firmware 2.19.9-1 EQ 3 Ccu3 Firmware 2.21.10 EQ 3 Ccu3 Firmware 2.25.12 EQ 3 Ccu3 Firmware 2.25.15 EQ 3 Ccu3 Firmware 2.27.7 EQ 3 Ccu3 Firmware 2.27.8 EQ 3 Ccu3 Firmware 2.27.8-1 EQ 3 Ccu3 Firmware 2.29.22 EQ 3 Ccu3 Firmware 2.29.22-1 EQ 3 Ccu3 Firmware 2.31.23 EQ 3 Ccu3 Firmware 2.31.25 EQ 3 Ccu3 Firmware 2.35.16 EQ 3 Ccu3 Firmware 3.37.8 EQ 3 Ccu3 Firmware 3.41.7 EQ 3 Ccu3 Firmware 3.41.11 EQ 3 Ccu3 Firmware 3.43.15	20
Hardware	Eq-3 EQ 3 Ccu2 - EQ 3 Ccu3 -	2

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://psytester.github.io/CVE-2019-14475