Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-17437

An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. When the Urgent flag is set in a TCP packet, and the stack is configured to ignore the urgent data, the stack attempts to use the value of the Urgent pointer bytes to separate the Urgent data from the normal data, by calculating the offset at which the normal data should be present in the global buffer. However, the length of this offset is not checked; therefore, for large values of the Urgent pointer bytes, the data pointer can point to memory that is way beyond the data buffer in uip_process in uip.c.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 8.2, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts limited data confidentiality, and availability (service disruption) for affected systems. Impacting 21 products from uip_project, from contiki-os, from open-iscsi_project and 18 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2020, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2020-12-11T23:15:12.683

Last Modified

2024-11-21T05:08:06.540

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.2 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: PARTIAL
Exploitability Score

10.0

Impact Score

4.9

Weaknesses
  • Type: Primary
    CWE-787
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application uip_project uip ≤ 1.0 Yes
Operating System contiki-os contiki ≤ 3.0 No
Application open-iscsi_project open-iscsi ≤ 2.1.7 Yes
Operating System siemens sentron_3va_com100_firmware < 4.4.1 Yes
Hardware siemens sentron_3va_com100 - No
Operating System siemens sentron_3va_com800_firmware < 4.4.1 Yes
Hardware siemens sentron_3va_com800 - No
Operating System siemens sentron_3va_dsp800_firmware < 4.0 Yes
Hardware siemens sentron_3va_dsp800 - No
Operating System siemens sentron_pac2200_clp_firmware - Yes
Hardware siemens sentron_pac2200_clp - No
Operating System siemens sentron_pac2200_firmware < 3.2.2 Yes
Hardware siemens sentron_pac2200 - No
Operating System siemens sentron_pac3200_firmware < 2.4.7 Yes
Hardware siemens sentron_pac3200 - No
Operating System siemens sentron_pac3200t_firmware < 3.2.2 Yes
Hardware siemens sentron_pac3200t - No
Operating System siemens sentron_pac3220_firmware < 3.2.0 Yes
Hardware siemens sentron_pac3220 - No
Operating System siemens sentron_pac4200_firmware < 2.3.0 Yes
Hardware siemens sentron_pac4200 - No
References

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For uip_project's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.