admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

2020-09 CVE population

Browse Source 
populating CVEs for September
This commit is contained in:
lenpsirt 2020-09-15 10:14:18 -04:00
parent 758d821442
commit 5d74f74776
No known key found for this signature in database
GPG Key ID: BBFC49008A1FEA3C
4 changed files with 376 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
2020/8xxx/CVE-2020-8339.json
View File

@ -1,18 +1,99 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@lenovo.com",
"DATE_PUBLIC": "2020-09-15T16:00:00.000Z",
"ID": "CVE-2020-8339",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BladeCenter AMM firmware",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "3.68n [BPET68N]"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Lenovo thanks Cybersecurity lab, CS Dept, Lomonosov Moscow State University (SecLab@MSU) for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user's AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the users network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522 Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://support.lenovo.com/us/en/product_security/LEN-38385"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Upgrade to IBM BladeCenter Advanced Management Module Firmware v3.68n [BPET68N] (or newer) from IBM Fix Central."
}
],
"source": {
"advisory": "LEN-38385",
"discovery": "UNKNOWN"
}
}
}

118
2020/8xxx/CVE-2020-8340.json
View File

@ -1,18 +1,122 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@lenovo.com",
"DATE_PUBLIC": "2020-09-15T16:00:00.000Z",
"ID": "CVE-2020-8340",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "System x IMM2 firmware for: x240, Machine Types: 7162, 2588; x440, Machine Type 7167, 2590 ; x3750 M4, Machine Type: 8753 ; x3250 M6, Machine type 3633, 3943 ; nx360 M5, Machine type 5465, 5467 ; x280/x480/x880 X6 , Machine Type 7196, 4258 ; x3850 X6 and x3950 X6, Machine type 6241 ; x3550 M5, Machine Type 5463, 8869 ; x3650 M5, Machine Type 5462, 8871; x3500 M5, Machine Type 5464, 5478 ",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "5.60"
}
]
}
},
{
"product_name": "System x IMM2 firmware for x240 M5, Machine Types: 9532, 2591",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "5.61"
}
]
}
}
]
},
"vendor_name": "Lenovo"
},
{
"product": {
"product_data": [
{
"product_name": "System x IMM2 firmware",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "5.60"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A cross-site scripting (XSS) vulnerability was discovered in the legacy IBM and Lenovo System x IMM2 (Integrated Management Module 2), prior to version 5.60, embedded Baseboard Management Controller (BMC) web interface during an internal security review. This vulnerability could allow JavaScript code to be executed in the user's web browser if the user is convinced to visit a crafted URL, possibly through phishing. Successful exploitation requires specific knowledge about the users network to be included in the crafted URL. Impact is limited to the normal access restrictions and permissions of the user clicking the crafted URL, and subject to the user being able to connect to and already being authenticated to IMM2 or other systems. The JavaScript code is not executed on IMM2 itself."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://support.lenovo.com/us/en/product_security/LEN-44717"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Upgrade to IMM2 firmware version 5.60 (or newer) for the following System x products.\n- x240, Machine Types: 7162, 2588\n- x440, Machine Type 7167, 2590\n- x3750 M4, Machine Type: 8753\n- x3250 M6, Machine type 3633, 3943\n- nx360 M5, Machine type 5465, 5467\n- x280/x480/x880 X6 , Machine Type 7196, 4258\n- x3850 X6 and x3950 X6, Machine type 6241 \n- x3550 M5, Machine Type 5463, 8869\n- x3650 M5, Machine Type 5462, 8871 \n- x3500 M5, Machine Type 5464, 5478 \n\nUpgrade to IMM2 firmware version 5.61 (or newer) for the following System x products. - x240 M5, Machine Types: 9532, 2591"
}
],
"source": {
"advisory": "LEN-44717",
"discovery": "UNKNOWN"
}
}
}

95
2020/8xxx/CVE-2020-8342.json
View File

@ -1,18 +1,99 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@lenovo.com",
"DATE_PUBLIC": "2020-09-15T16:00:00.000Z",
"ID": "CVE-2020-8342",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "System Update",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "5.07.0106"
}
]
}
}
]
},
"vendor_name": "Lenovo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Lenovo thanks Security Advisor, Anders Kusk, Improsec ApS for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A race condition vulnerability was reported in Lenovo System Update prior to version 5.07.0106 that could allow escalation of privilege."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://support.lenovo.com/us/en/product_security/LEN-42150"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Upgrade to the Lenovo System Update version 5.07.0106 (or newer)."
}
],
"source": {
"advisory": "LEN-42150",
"discovery": "UNKNOWN"
}
}
}

96
2020/8xxx/CVE-2020-8346.json
View File

@ -1,18 +1,100 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "psirt@lenovo.com",
"DATE_PUBLIC": "2020-09-15T16:00:00.000Z",
"ID": "CVE-2020-8346",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "System Interface Foundation",
"version": {
"version_data": [
{
"version_affected": "<",
"version_value": "1.1.19.5"
}
]
}
}
]
},
"vendor_name": "Lenovo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Lenovo thanks Samet Bekmezci for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "A denial of service vulnerability was reported in the Lenovo Vantage component called Lenovo System Interface Foundation prior to version 1.1.19.5 that could allow configuration files to be written to non-standard locations."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276 Incorrect Default Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://support.lenovo.com/us/en/product_security/LEN-38717"
}
]
},
"solution": [
{
"lang": "eng",
"value": "To update Lenovo System Interface Foundation to version 1.1.19.5 or later, follow these steps: Update Lenovo Vantage to the latest version from the Microsoft Store. Re-launch Lenovo Vantage to complete the update."
}
],
"source": {
"advisory": "LEN-38717",
"discovery": "UNKNOWN"
}
}
}