From ff362da9dc156b2a9472ad7c9fb8664e1416fa00 Mon Sep 17 00:00:00 2001 From: Robert Schultheis Date: Wed, 3 Jun 2020 15:18:45 -0600 Subject: [PATCH] add CVE-2020-5295 for GHSA-r23f-c2j5-rx2f --- 2020/5xxx/CVE-2020-5295.json | 82 +++++++++++++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 6 deletions(-) diff --git a/2020/5xxx/CVE-2020-5295.json b/2020/5xxx/CVE-2020-5295.json index 732f387b16b..4e3bc44368d 100644 --- a/2020/5xxx/CVE-2020-5295.json +++ b/2020/5xxx/CVE-2020-5295.json @@ -1,18 +1,88 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5295", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Local File read vulnerability in OctoberCMS" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "october", + "version": { + "version_data": [ + { + "version_value": ">= 1.0.319, < 1.0.466" + } + ] + } + } + ] + }, + "vendor_name": "octobercms" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466,\nan attacker can exploit this vulnerability to read local files of an October CMS server.\nThe vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission.\n\nIssue has been patched in Build 466 (v1.0.466)." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.8, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f", + "refsource": "CONFIRM", + "url": "https://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f" + }, + { + "name": "https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc", + "refsource": "MISC", + "url": "https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc" + } + ] + }, + "source": { + "advisory": "GHSA-r23f-c2j5-rx2f", + "discovery": "UNKNOWN" } } \ No newline at end of file