CVE-2020-24683 CRITICAL

CVE-2020-24683: Authentication Bypass in Symphony Plus

Vendor Abb
Product ABB Ability™ Symphony® Plus Operations
Weakness CWE-602 · Client-side enforcement
Published December 22, 2020
Last update September 17, 2024

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application.

Key dates

02Disclosure timeline

December 22, 2020 CVE published
September 17, 2024 Record updated