CVE-2020-26989

Description

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Solid Edge SE2020 (All Versions < SE2020MP12), Solid Edge SE2021 (All Versions < SE2021MP2), Teamcenter Visualization (All versions < V13.1.0.1). Affected applications lack proper validation of user-supplied data when parsing of PAR files. This could result in a stack based buffer overflow. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-11892)

References

Link	Tags
https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf	vendor advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-979834.pdf	vendor advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-050/	vdb entry third party advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-663999.pdf	patch vendor advisory

Frequently Asked Questions

What is the severity of CVE-2020-26989?: CVE-2020-26989 has been scored as a high severity vulnerability.
How to fix CVE-2020-26989?: To fix CVE-2020-26989, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-26989 being actively exploited in the wild?: It is possible that CVE-2020-26989 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-26989?: CVE-2020-26989 affects Siemens JT2Go, Siemens Solid Edge SE2020, Siemens Solid Edge SE2021, Siemens Teamcenter Visualization.

Description

Categories

CWE-121 – Stack-based Buffer Overflow

CWE-787 – Out-of-bounds Write

References

Frequently Asked Questions