From 10195c12e182c0b5c8130a7379af824a260a747f Mon Sep 17 00:00:00 2001 From: Andre Eleuterio Date: Wed, 11 Nov 2020 19:12:56 -0300 Subject: [PATCH] Add CVE-2020-26220 for GHSA-hh6j-j73p-cp3h --- 2020/26xxx/CVE-2020-26220.json | 82 +++++++++++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 6 deletions(-) diff --git a/2020/26xxx/CVE-2020-26220.json b/2020/26xxx/CVE-2020-26220.json index 488a3a30943..b5fd6837f82 100644 --- a/2020/26xxx/CVE-2020-26220.json +++ b/2020/26xxx/CVE-2020-26220.json @@ -1,18 +1,88 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26220", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Information exposure in touchbase.ai" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "touchbase.ai", + "version": { + "version_data": [ + { + "version_value": "< 2.0" + } + ] + } + } + ] + }, + "vendor_name": "puncsky" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "toucbase.ai before version 2.0 leaks information by not stripping exif data from images. Anyone with access to the uploaded image of other users could obtain its geolocation, device, and software version data etc (if present. The issue is fixed in version 2.0." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.5, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h", + "refsource": "CONFIRM", + "url": "https://github.com/puncsky/touchbase.ai/security/advisories/GHSA-hh6j-j73p-cp3h" + }, + { + "name": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f", + "refsource": "MISC", + "url": "https://github.com/puncsky/touchbase.ai/pull/400/commits/69de77b163f6debaeb3f8d1a85367310a40d196f" + } + ] + }, + "source": { + "advisory": "GHSA-hh6j-j73p-cp3h", + "discovery": "UNKNOWN" } } \ No newline at end of file