Initial publication of CVE-2020-7037 and CVE-2020-7038

2025-08-04 08:44:25 +00:00 · 2021-04-28 15:22:29 -06:00 · 2021-04-28 15:22:29 -06:00 · 248ce7d3a3
commit 248ce7d3a3
parent aea3ae6d75
2 changed files with 164 additions and 30 deletions
--- a/2020/7xxx/CVE-2020-7037.json
+++ b/2020/7xxx/CVE-2020-7037.json
@ -1,18 +1,85 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
-    "CVE_data_meta": {
-        "ID": "CVE-2020-7037",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
-    },
-    "description": {
-        "description_data": [
+   "CVE_data_meta": {
+      "ASSIGNER": "securityalerts@avaya.com",
+      "DATE_PUBLIC": "2021-04-28T06:00:00.000Z",
+      "ID": "CVE-2020-7037",
+      "STATE": "PUBLIC",
+      "TITLE": "Avaya Equinox Conferencing XXE vulnerability"
+   },
+   "affects": {
+      "vendor": {
+         "vendor_data": [
            {
-                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+               "product": {
+                  "product_data": [
+                     {
+                        "product_name": "Avaya Meetings Server",
+                        "version": {
+                           "version_data": [
+                              {
+                                 "affected": "<=",
+                                 "version_name": "9.x",
+                                 "version_value": "9.1.10"
+                              }
+                           ]
+                        }
+                     }
+                  ]
+               },
+               "vendor_name": "Avaya"
            }
-        ]
-    }
-}
+         ]
+      }
+   },
+   "data_format": "MITRE",
+   "data_type": "CVE",
+   "data_version": "4.0",
+   "description": {
+      "description_data": [
+         {
+            "lang": "eng",
+            "value": "An XML External Entities (XXE) vulnerability in Media Server component of Avaya Equinox Conferencing could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system or even potentially lead to a denial of service. The affected versions of Avaya Equinox Conferencing includes all 9.x versions before 9.1.11. Equinox Conferencing is now offered as Avaya Meetings Server. \n"
+         }
+      ]
+   },
+   "impact": {
+      "cvss": {
+         "attackComplexity": "LOW",
+         "attackVector": "NETWORK",
+         "availabilityImpact": "HIGH",
+         "baseScore": 8.1,
+         "baseSeverity": "HIGH",
+         "confidentialityImpact": "HIGH",
+         "integrityImpact": "NONE",
+         "privilegesRequired": "LOW",
+         "scope": "UNCHANGED",
+         "userInteraction": "NONE",
+         "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
+         "version": "3.1"
+      }
+   },
+   "problemtype": {
+      "problemtype_data": [
+         {
+            "description": [
+               {
+                  "lang": "eng",
+                  "value": "CWE-611: Improper Restriction of XML External Entity Reference"
+               }
+            ]
+         }
+      ]
+   },
+   "references": {
+      "reference_data": [
+         {
+            "name": "https://support.avaya.com/css/P8/documents/101075574",
+            "refsource": "CONFIRM",
+            "url": "https://support.avaya.com/css/P8/documents/101075574"
+         }
+      ]
+   },
+   "source": {
+      "advisory": " ASA-2021-036"
+   }
+}
--- a/2020/7xxx/CVE-2020-7038.json
+++ b/2020/7xxx/CVE-2020-7038.json
@ -1,18 +1,85 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
-    "CVE_data_meta": {
-        "ID": "CVE-2020-7038",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
-    },
-    "description": {
-        "description_data": [
+   "CVE_data_meta": {
+      "ASSIGNER": "securityalerts@avaya.com",
+      "DATE_PUBLIC": "2021-04-28T06:00:00.000Z",
+      "ID": "CVE-2020-7038",
+      "STATE": "PUBLIC",
+      "TITLE": "Avaya Meetings Server Information Disclosure vulnerability"
+   },
+   "affects": {
+      "vendor": {
+         "vendor_data": [
            {
-                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+               "product": {
+                  "product_data": [
+                     {
+                        "product_name": "Avaya Meetings Management",
+                        "version": {
+                           "version_data": [
+                              {
+                                 "affected": "<",
+                                 "version_name": "3.x",
+                                 "version_value": "3.17"
+                              }
+                           ]
+                        }
+                     }
+                  ]
+               },
+               "vendor_name": "Avaya"
            }
-        ]
-    }
-}
+         ]
+      }
+   },
+   "data_format": "MITRE",
+   "data_type": "CVE",
+   "data_version": "4.0",
+   "description": {
+      "description_data": [
+         {
+            "lang": "eng",
+            "value": "A vulnerability was discovered in Management component of Avaya Equinox Conferencing that could potentially allow an unauthenticated, remote attacker to gain access to screen sharing and whiteboard sessions. The affected versions of Management component of Avaya Equinox Conferencing include all 3.x versions before 3.17. Avaya Equinox Conferencing is now offered as Avaya Meetings Server."
+         }
+      ]
+   },
+   "impact": {
+      "cvss": {
+         "attackComplexity": "LOW",
+         "attackVector": "NETWORK",
+         "availabilityImpact": "NONE",
+         "baseScore": 7.5,
+         "baseSeverity": "HIGH",
+         "confidentialityImpact": "HIGH",
+         "integrityImpact": "NONE",
+         "privilegesRequired": "NONE",
+         "scope": "UNCHANGED",
+         "userInteraction": "NONE",
+         "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+         "version": "3.1"
+      }
+   },
+   "problemtype": {
+      "problemtype_data": [
+         {
+            "description": [
+               {
+                  "lang": "eng",
+                  "value": "CWE-284: Improper Access Control\nCWE-200: Information Exposure"
+               }
+            ]
+         }
+      ]
+   },
+   "references": {
+      "reference_data": [
+         {
+            "name": "https://support.avaya.com/css/P8/documents/101075574",
+            "refsource": "CONFIRM",
+            "url": "https://support.avaya.com/css/P8/documents/101075574"
+         }
+      ]
+   },
+   "source": {
+      "advisory": " ASA-2021-036"
+   }
+}