CVE-2020-6650: Arbitrary code execution through “Update Manager” Class
First published: Fri Mar 20 2020(Updated: )
UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed.
Credit: CybersecurityCOE@eaton.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Eaton Ups Companion | <=1.05 |
Remedy
Download and install the latest version from product website.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this UPS companion software vulnerability?
The vulnerability ID for this UPS companion software vulnerability is CVE-2020-6650.
What is the affected software for this vulnerability?
The affected software for this vulnerability is the UPS companion software version 1.05 and prior.
What is the severity of the CVE-2020-6650 vulnerability?
The severity of the CVE-2020-6650 vulnerability is rated as high with a severity value of 8.8.
What is the CWE ID for this vulnerability?
The CWE ID for this vulnerability is CWE-94 and CWE-95.
How do I fix the CVE-2020-6650 vulnerability?
To fix the CVE-2020-6650 vulnerability, it is recommended to update the UPS companion software to version 1.06 or later.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/severity
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/author
- agent/remedy
- agent/tags
- agent/softwarecombine
- agent/first-publish-date
- agent/event
- agent/description
- vendor/eaton
- canonical/eaton ups companion
- version/eaton ups companion/1.05