add CVE-2020-5246 for GHSA-v955-7g22-2p49

2025-06-08 05:58:08 +00:00 · 2020-07-14 14:37:04 -06:00 · 2020-07-14 14:37:04 -06:00 · 8e25a19435
commit 8e25a19435
parent 48ae406266
1 changed files with 76 additions and 6 deletions
--- a/2020/5xxx/CVE-2020-5246.json
+++ b/2020/5xxx/CVE-2020-5246.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-5246",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "LDAP injection vulnerability in Traccar GPS Tracking System"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "Traccar",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 4.9"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "Traccar"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges.\n\nThe issue only impacts instances with LDAP configuration and where users can craft their own names.\n\nThis has been patched in version 4.9."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "NONE",
+            "baseScore": 7.7,
+            "baseSeverity": "HIGH",
+            "confidentialityImpact": "NONE",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "LOW",
+            "scope": "CHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/traccar/traccar/security/advisories/GHSA-v955-7g22-2p49",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/traccar/traccar/security/advisories/GHSA-v955-7g22-2p49"
+            },
+            {
+                "name": "https://github.com/traccar/traccar/commit/e4f6e74e57ab743b65d49ae00f6624a20ca0291e",
+                "refsource": "MISC",
+                "url": "https://github.com/traccar/traccar/commit/e4f6e74e57ab743b65d49ae00f6624a20ca0291e"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-v955-7g22-2p49",
+        "discovery": "UNKNOWN"
    }
 }