What is the severity of CVE-2020-27220?

CVE-2020-27220 is classified as a medium severity vulnerability.

How do I fix CVE-2020-27220?

To fix CVE-2020-27220, update to Eclipse Hono version 1.5.0 or later, where the vulnerability has been addressed.

Which versions of Eclipse Hono are affected by CVE-2020-27220?

Versions of Eclipse Hono from 1.4.0 to 1.4.4 and 1.5.0 are affected by CVE-2020-27220.

What type of devices are impacted by CVE-2020-27220?

Authenticated gateway devices using the AMQP and MQTT protocol adapters in Eclipse Hono are impacted by CVE-2020-27220.

What is the main issue described in CVE-2020-27220?

The main issue in CVE-2020-27220 is the lack of authorization checks for gateway devices receiving command and control messages.

Vulnerability/
CVE-2020-27220

critical

CWE

862

14/1/2021

4/8/2024

CVE-2020-27220

First published: Thu Jan 14 2021(Updated: )

The Eclipse Hono AMQP and MQTT protocol adapters do not check whether an authenticated gateway device is authorized to receive command & control messages when it has subscribed only to commands for a specific device. The missing check involves verifying that the command target device is configured giving permission for the gateway device to act on its behalf. This means an authenticated device of a certain tenant, notably also a non-gateway device acting like a gateway, may receive command & control messages targeted at a different device of the same tenant without corresponding permissions getting checked.

Credit: emo@eclipse.org

Affected Software	Affected Version	How to fix
Eclipse Hono	>=1.4.0<=1.4.4
Eclipse Hono	=1.5.0

Never miss a vulnerability like this again

Reference Links

https://bugs.eclipse.org/bugs/show_bug.cgi?id=569856

Frequently Asked Questions

What is the severity of CVE-2020-27220?
CVE-2020-27220 is classified as a medium severity vulnerability.
How do I fix CVE-2020-27220?
To fix CVE-2020-27220, update to Eclipse Hono version 1.5.0 or later, where the vulnerability has been addressed.
Which versions of Eclipse Hono are affected by CVE-2020-27220?
Versions of Eclipse Hono from 1.4.0 to 1.4.4 and 1.5.0 are affected by CVE-2020-27220.
What type of devices are impacted by CVE-2020-27220?
Authenticated gateway devices using the AMQP and MQTT protocol adapters in Eclipse Hono are impacted by CVE-2020-27220.
What is the main issue described in CVE-2020-27220?
The main issue in CVE-2020-27220 is the lack of authorization checks for gateway devices receiving command and control messages.

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/author
agent/weakness
agent/severity
agent/references
agent/tags
agent/event
agent/description
agent/first-publish-date
agent/source
vendor/eclipse
canonical/eclipse hono
version/eclipse hono/1.4.0
version/eclipse hono/1.4.4
version/eclipse hono/1.5.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.