How severe is CVE-2020-24722?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.9 out of 10.

What type of vulnerability is CVE-2020-24722?

This is classified as CWE-294, which is a common weakness in software security.

CVE-2020-24722 - MEDIUM Severity | CVSS 5.9

Vulnerability Description

An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-10-05, as used in COVID-19 applications on Android and iOS. The encrypted metadata block with a TX value lacks a checksum, allowing bitflipping to amplify a contamination attack. This can cause metadata deanonymization and risk-score inflation. NOTE: the vendor's position is "We do not believe that TX power authentication would be a useful defense against relay attacks.

Related Vulnerabilities

CVE-2013-1351

MEDIUM

CVSS:5.9(Medium)

Verax NMS prior to 2.10 allows authentication via the encrypted password without knowing the cleartext password.

CWE-2942013

CVE-2020-9438

MEDIUM

CVSS:5.9(Medium)

Tinxy Door Lock with firmware before 3.2 allow attackers to unlock a door by replaying an Unlock request that occurred when the attacker was previously authorized. In other words, door-access revocati...

CWE-2942020

CVE-2021-22267

MEDIUM

CVSS:5.9(Medium)

Idelji Web ViewPoint Suite, as used in conjunction with HPE NonStop, allows a remote replay attack for T0320L01^ABP through T0320L01^ABZ, T0952L01^AAH through T0952L01^AAR, T0986L01 through T0986L01^A...

CWE-2942021

CVE-2022-29593

MEDIUM

CVSS:5.9(Medium)

relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1.276A allows an attacker to replay HTTP post requests without the need for authentication or a valid signed/authorized request.

CWE-2942022

CVE-2022-43704

MEDIUM

CVSS:5.9(Medium)

The Sinilink XY-WFT1 WiFi Remote Thermostat, running firmware 1.3.6, allows an attacker to bypass the intended requirement to communicate using MQTT. It is possible to replay Sinilink aka SINILINK521 ...

CWE-2942022

CVE-2023-33621

MEDIUM

CVSS:5.9(Medium)

GL.iNET GL-AR750S-Ext firmware v3.215 inserts the admin authentication token into a GET request when the OpenVPN Server config file is downloaded. The token is then left in the browser history or acce...

CWE-2942023