CVE-2020-17437

Name: CVE-2020-17437
Creator: NVD / NIST
Published: 2020-12-11T23:15:12.683+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.2/10EPSS 2.75%

Last modified Jun 17, 2026

CVE-2020-17437 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. When the Urgent flag is set in a TCP packet, and the stack is configured to ignore the urgent data, the stack attempts to use the value of the Urgent pointer bytes to separate the Urgent data from the normal data, by calculating the offset at which the normal data should be present in the global buffer. EPSS estimates a 2.75% chance of exploitation in the next 30 days.

Description

An issue was discovered in uIP 1.0, as used in Contiki 3.0 and other products. When the Urgent flag is set in a TCP packet, and the stack is configured to ignore the urgent data, the stack attempts to use the value of the Urgent pointer bytes to separate the Urgent data from the normal data, by calculating the offset at which the normal data should be present in the global buffer. However, the length of this offset is not checked; therefore, for large values of the Urgent pointer bytes, the data pointer can point to memory that is way beyond the data buffer in uip_process in uip.c.

Metrics

CVSS 3.1

8.2/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

EPSS Probability

2.75%

84.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-787

Affected Software

Vendor	Product	Versions
Uip Project	Uip	<= 1.0
Open-Iscsi Project	Open-Iscsi	<= 2.1.7
Siemens	Sentron 3va Com100 Firmware	< 4.4.1
Siemens	Sentron 3va Com800 Firmware	< 4.4.1
Siemens	Sentron 3va Dsp800 Firmware	< 4.0
Siemens	Sentron Pac2200 Clp Firmware	All versions
Siemens	Sentron Pac2200 Firmware	< 3.2.2
Siemens	Sentron Pac3200 Firmware	< 2.4.7
Siemens	Sentron Pac3200t Firmware	< 3.2.2
Siemens	Sentron Pac3220 Firmware	< 3.2.0
Siemens	Sentron Pac4200 Firmware	< 2.3.0

References

https://cert-portal.siemens.com/productcert/pdf/ssa-541018.pdfPatch, Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01Third Party Advisory, US Government Resource
https://www.kb.cert.org/vuls/id/815128Third Party Advisory, US Government Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-541018.pdfPatch, Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01Third Party Advisory, US Government Resource
https://www.kb.cert.org/vuls/id/815128Third Party Advisory, US Government Resource

Timeline

Published: Dec 11, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-17437?

How severe is CVE-2020-17437?

CVE-2020-17437 has a CVSS score of 8.2/10 (HIGH severity). The EPSS model estimates a 2.75% probability of exploitation in the next 30 days.

How do I fix CVE-2020-17437?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-17437?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST