An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. When the Urgent flag is set in a TCP packet, and the stack is configured to ignore the urgent data, the stack attempts to use the value of the Urgent pointer bytes to separate the Urgent data from the normal data, by calculating the offset at which the normal data should be present in the global buffer. However, the length of this offset is not checked; therefore, for large values of the Urgent pointer bytes, the data pointer can point to memory that is way beyond the data buffer in uip_process in uip.c.
総合評価: CVE-2020-17437 は中リスク(64.7/100)。CVSS 深刻度は高。悪用される可能性が高い(EPSS 2.75%、84 パーセンタイル) 根拠: 直近 1 日で EPSS が +2.41% 上昇。悪用への関心が高まっている可能性があります。 推奨対応: 影響資産を整理し、修補計画に組み込んでください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.34% | 2.75% | +2.41% |
| 2 | 2025-12-13 | 0.24% | 0.34% | +0.10% |
| 3 | 2025-11-21 | — | 0.24% | — |
EPSS の全履歴 (全 18 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 8.2 | 3.1 | HIGH |
|
3.9 | 4.2 | [email protected] |
| 6.4 | 2.0 | MEDIUM |
|
10.0 | 4.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2020-17437 not yet assigned priority: Debian including 1 source packages (open-iscsi), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2020-17437 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2020-17437 |
suse
|
high | CVE-2020-17437 severity important: SUSE including 301 source package names (0.38.1.5.8.40:libopeniscsiusr0_2_0-2.1.4-22.14.1, 0.38.1.5.8.40:open-iscsi-2.1.4-22.14.1, …), 455 product×package rows across 65 product lines (Container suse/sles/15.2/virt-launcher, Image SLES12-SP5-Azure-BYOS, … (65 product lines)): Fixed 308, Known Affected 137, Known Not Affected 10. | https://www.suse.com/security/cve/CVE-2020-17437/ |
ubuntu
|
low | CVE-2020-17437 low priority: Ubuntu including 1 source packages (open-iscsi), 11 status rows across 11 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, trusty, upstream, xenial): released 9, ignored 1, not-affected 1. | https://ubuntu.com/security/CVE-2020-17437 |
| ベンダー | 製品 | バージョン | 生の CPE |
|---|---|---|---|
| uip_project | uip | <= 1.0 | cpe:2.3:a:uip_project:uip:*:*:*:*:*:*:*:* |
| open-iscsi_project | open-iscsi | <= 2.1.7 | cpe:2.3:a:open-iscsi_project:open-iscsi:*:*:*:*:*:*:*:* |
| siemens | sentron_3va_com100_firmware | < 4.4.1 | cpe:2.3:o:siemens:sentron_3va_com100_firmware:*:*:*:*:*:*:*:* |
| siemens | sentron_3va_com800_firmware | < 4.4.1 | cpe:2.3:o:siemens:sentron_3va_com800_firmware:*:*:*:*:*:*:*:* |
| siemens | sentron_3va_dsp800_firmware | < 4.0 | cpe:2.3:o:siemens:sentron_3va_dsp800_firmware:*:*:*:*:*:*:*:* |
| siemens | sentron_pac2200_clp_firmware | — | cpe:2.3:o:siemens:sentron_pac2200_clp_firmware:-:*:*:*:*:*:*:* |
| siemens | sentron_pac2200_firmware | < 3.2.2 | cpe:2.3:o:siemens:sentron_pac2200_firmware:*:*:*:*:*:*:*:* |
| siemens | sentron_pac3200_firmware | < 2.4.7 | cpe:2.3:o:siemens:sentron_pac3200_firmware:*:*:*:*:*:*:*:* |
| siemens | sentron_pac3200t_firmware | < 3.2.2 | cpe:2.3:o:siemens:sentron_pac3200t_firmware:*:*:*:*:*:*:*:* |
| siemens | sentron_pac3220_firmware | < 3.2.0 | cpe:2.3:o:siemens:sentron_pac3220_firmware:*:*:*:*:*:*:*:* |
| siemens | sentron_pac4200_firmware | < 2.3.0 | cpe:2.3:o:siemens:sentron_pac4200_firmware:*:*:*:*:*:*:*:* |
| URL | タグ |
|---|---|
| https://cert-portal.siemens.com/productcert/pdf/ssa-541018.pdf | Patch Third Party Advisory |
| https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01 | Third Party Advisory US Government Resource |
| https://www.kb.cert.org/vuls/id/815128 | Third Party Advisory US Government Resource |