From 90dd513c4deb7f99f9d618042651ee320b9c3474 Mon Sep 17 00:00:00 2001 From: Robert Schultheis Date: Wed, 25 Mar 2020 11:55:42 -0600 Subject: [PATCH] add CVE-2020-5281 for GHSA-gj88-9q3f-72m3 --- 2020/5xxx/CVE-2020-5281.json | 89 +++++++++++++++++++++++++++++++++--- 1 file changed, 82 insertions(+), 7 deletions(-) diff --git a/2020/5xxx/CVE-2020-5281.json b/2020/5xxx/CVE-2020-5281.json index 985c926b58e..8e06eef6d3b 100644 --- a/2020/5xxx/CVE-2020-5281.json +++ b/2020/5xxx/CVE-2020-5281.json @@ -1,18 +1,93 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5281", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "LDAP connector injection in Perun" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "perun", + "version": { + "version_data": [ + { + "version_value": "< 3.9.1" + } + ] + } + } + ] + }, + "vendor_name": "CESNET" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In Perun before version 3.9.1, VO or group manager can modify configuration of the LDAP extSource to retrieve all from Perun LDAP.\n\nIssue is fixed in version 3.9.1 by sanitisation of the input." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 6.2, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "HIGH", + "integrityImpact": "LOW", + "privilegesRequired": "HIGH", + "scope": "CHANGED", + "userInteraction": "REQUIRED", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/CESNET/perun/security/advisories/GHSA-gj88-9q3f-72m3", + "refsource": "CONFIRM", + "url": "https://github.com/CESNET/perun/security/advisories/GHSA-gj88-9q3f-72m3" + }, + { + "name": "https://github.com/CESNET/perun/pull/2635", + "refsource": "MISC", + "url": "https://github.com/CESNET/perun/pull/2635" + }, + { + "name": "https://github.com/CESNET/perun/commit/ac527bc3225a64208ee5cee59e5918ee360ca039", + "refsource": "MISC", + "url": "https://github.com/CESNET/perun/commit/ac527bc3225a64208ee5cee59e5918ee360ca039" + } + ] + }, + "source": { + "advisory": "GHSA-gj88-9q3f-72m3", + "discovery": "UNKNOWN" } -} \ No newline at end of file +}