cvelist/2020/7xxx/CVE-2020-7378.json

{
    "CVE_data_meta": {
        "ASSIGNER": "cve@rapid7.com",
        "DATE_PUBLIC": "2020-11-24T15:00:00.000Z",
        "ID": "CVE-2020-7378",
        "STATE": "PUBLIC",
        "TITLE": "CRIXP OpenCRX Unverified Password Change"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "OpenCRX",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<=",
                                            "version_name": "4.30",
                                            "version_value": "4.30"
                                        },
                                        {
                                            "version_affected": "<=",
                                            "version_name": "5.0-20200717",
                                            "version_value": "5.0-20200717"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "CRIXP"
                }
            ]
        }
    },
    "credit": [
        {
            "lang": "eng",
            "value": "This issue was discovered and reported by Trevor Christiansen of Rapid7 in accordance with Rapid7's standard vulnerability disclosure policy."
        }
    ],
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020."
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.0.9"
    },
    "impact": {
        "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-620 Unverified Password Change"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/",
                "refsource": "MISC",
                "url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"
            }
        ]
    },
    "solution": [
        {
            "lang": "eng",
            "value": "Users should update to 5.0-20200904 or later. If an update is infeasible, users should disable the RequestPasswordReset.jsp wizard."
        }
    ],
    "source": {
        "discovery": "USER"
    }
}
"-Synchronized-Data." 2020-01-21 14:01:28 +00:00			`{`
			`"CVE_data_meta": {`
"-Synchronized-Data." 2020-11-24 17:01:47 +00:00			`"ASSIGNER": "cve@rapid7.com",`
Update CVE-2020-7378 for OpenCRX 2020-11-24 10:18:44 -06:00			`"DATE_PUBLIC": "2020-11-24T15:00:00.000Z",`
"-Synchronized-Data." 2020-01-21 14:01:28 +00:00			`"ID": "CVE-2020-7378",`
Update CVE-2020-7378 for OpenCRX 2020-11-24 10:18:44 -06:00			`"STATE": "PUBLIC",`
			`"TITLE": "CRIXP OpenCRX Unverified Password Change"`
"-Synchronized-Data." 2020-01-21 14:01:28 +00:00			`},`
Update CVE-2020-7378 for OpenCRX 2020-11-24 10:18:44 -06:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "OpenCRX",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "<=",`
			`"version_name": "4.30",`
			`"version_value": "4.30"`
			`},`
			`{`
			`"version_affected": "<=",`
			`"version_name": "5.0-20200717",`
			`"version_value": "5.0-20200717"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "CRIXP"`
			`}`
			`]`
			`}`
			`},`
			`"credit": [`
			`{`
			`"lang": "eng",`
			`"value": "This issue was discovered and reported by Trevor Christiansen of Rapid7 in accordance with Rapid7's standard vulnerability disclosure policy."`
			`}`
			`],`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2020-01-21 14:01:28 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
Update CVE-2020-7378 for OpenCRX 2020-11-24 10:18:44 -06:00			`"value": "CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020."`
			`}`
			`]`
			`},`
			`"generator": {`
			`"engine": "Vulnogram 0.0.9"`
			`},`
			`"impact": {`
			`"cvss": {`
			`"attackComplexity": "LOW",`
			`"attackVector": "NETWORK",`
			`"availabilityImpact": "NONE",`
			`"baseScore": 9.1,`
			`"baseSeverity": "CRITICAL",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "HIGH",`
			`"privilegesRequired": "NONE",`
			`"scope": "UNCHANGED",`
			`"userInteraction": "NONE",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",`
			`"version": "3.1"`
			`}`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-620 Unverified Password Change"`
			`}`
			`]`
"-Synchronized-Data." 2020-01-21 14:01:28 +00:00			`}`
			`]`
Update CVE-2020-7378 for OpenCRX 2020-11-24 10:18:44 -06:00			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"name": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/",`
			`"refsource": "MISC",`
			`"url": "https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/"`
			`}`
			`]`
			`},`
			`"solution": [`
			`{`
			`"lang": "eng",`
			`"value": "Users should update to 5.0-20200904 or later. If an update is infeasible, users should disable the RequestPasswordReset.jsp wizard."`
			`}`
			`],`
			`"source": {`
			`"discovery": "USER"`
"-Synchronized-Data." 2020-01-21 14:01:28 +00:00			`}`
			`}`