Vulnerabilities > CVE-2020-24683 - Incorrect Resource Transfer Between Spheres vulnerability in ABB Symphony + Historian and Symphony + Operations

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

abb

CWE-669

critical

NVD

Published: 2020-12-22

Updated: 2021-10-07

Summary

The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application.

Vulnerable Configurations

Part	Description	Count
Application	Abb ABB Symphony + Historian 3.0 ABB Symphony + Historian 3.1 ABB Symphony + Operations 1.1 ABB Symphony + Operations 2.0 ABB Symphony + Operations 2.1 ABB Symphony + Operations 3.0 ABB Symphony + Operations 3.1 ABB Symphony + Operations 3.2 ABB Symphony + Operations 3.3	10

Common Weakness Enumeration (CWE)

CWE-669 - Incorrect Resource Transfer Between Spheres

References

https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch