admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-06 18:53:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2020-05-05 20:01:12 +00:00
parent b042485819
commit a63b07a1ce
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
4 changed files with 277 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
2019/15xxx/CVE-2019-15654.json
View File

@ -34,7 +34,7 @@
"description_data": [
{
"lang": "eng",
"value": "Comba AP2600-I devices through A02,0202N00PD2 are prone to password disclosure via a simple crafted /09/business/upgrade/upcfgAction.php?download=true request to the web management server. The request doesn't require any authentication and will lead to saving the DBconfig.cfg file. At the end of the file, the login information is stored in cleartext."
"value": "Comba AC2400 devices are prone to password disclosure via a simple crafted /09/business/upgrade/upcfgAction.php?download=true request to the web management server. The request doesn't require any authentication and will lead to saving the DBconfig.cfg file. At the end of the file, the login information is stored in cleartext."
}
]
},

98
2020/12xxx/CVE-2020-12142.json
View File

@ -1,18 +1,104 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "sirt@silver-peak.com",
"ID": "CVE-2020-12142",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "IPSec UDP key material can be retrieved from EdgeConnect by a user with admin credentials"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "1. Unity EdgeConnect, NX, VX 2. Unity Orchestrator, \u202f 3. EdgeConnect in AWS, Azure, GCP\u202f",
"version": {
"version_data": [
{
"version_value": "All versions affected prior to Silver Peak Unity ECOS\u2122 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+"
}
]
}
}
]
},
"vendor_name": "Silver Peak Systems, Inc."
}
]
}
},
"configuration": [
{
"lang": "eng",
"value": "\u2022\tEdgeConnect software has been modified to prevent users from accessing IPSec seed and nonce parameters using the CLI, REST APIs, and the Linux shell. \n\n\u2022\tEdgeConnect software has been modified to allow customers to choose not to persist the IPSec seed for additional security. \n"
}
],
"credit": [
{
"lang": "eng",
"value": "This vulnerability was reported to Silver Peak by Denis Kolegov, Mariya Nedyak, and Anton Nikolaev from the SD-WAN New Hop team. "
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "a. IPSec UDP key material can be retrieved from machine-to-machine interfaces and human-accessible interfaces by a user with admin credentials. Such a user, with the required system knowledge, could use this material to decrypt in-flight communication. b. The vulnerability requires administrative access and shell access to the EdgeConnect appliance. An admin user can access IPSec seed and nonce parameters using the CLI, REST APIs, and the Linux shell. Resolution \u2022 EdgeConnect software has been modified to prevent users from accessing IPSec seed and nonce parameters using the CLI, REST APIs, and the Linux shell. \u2022 EdgeConnect software has been modified to allow customers to choose not to persist the IPSec seed for additional security. Any required configuration Upgrade to Silver Peak Unity ECOS\u2122 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+. 8. Product affected All versions affected prior to Silver Peak Unity ECOS\u2122 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+ Silver Peak Products Applicability Unity EdgeConnect, NX, VX Applicable Unity Orchestrator Applicable EdgeConnect in AWS, Azure, GCP Applicable Silver Peak Cloud Services Not Applicable"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-668: Exposure of Resource to Wrong Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.silver-peak.com/support/user-documentation/security-advisories",
"name": "https://www.silver-peak.com/support/user-documentation/security-advisories"
}
]
},
"solution": [
{
"lang": "eng",
"value": "The full details of the CVE can be found at https://www.cvedetails.com/cve/CVE-2020-12142. \n"
}
],
"source": {
"advisory": "2020 -04-24-001 -001",
"discovery": "EXTERNAL"
}
}

99
2020/12xxx/CVE-2020-12143.json
View File

@ -1,18 +1,105 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "sirt@silver-peak.com",
"ID": "CVE-2020-12143",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "The certificate used to identify Orchestrator to EdgeConnect devices is not validated "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "1. Unity EdgeConnect, NX, VX 2. Unity Orchestrator, \u202f 3. EdgeConnect in AWS, Azure, GCP\u202f ",
"version": {
"version_data": [
{
"version_name": "All versions affected prior to Silver Peak Unity ECOS\u2122 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+ ",
"version_value": "All versions affected prior to Silver Peak Unity ECOS\u2122 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+"
}
]
}
}
]
},
"vendor_name": "Silver Peak Systems, Inc."
}
]
}
},
"configuration": [
{
"lang": "eng",
"value": "Any required configuration\n\u2022\tDo not change Orchestrator\u2019s IP address as discovered by the EdgeConnect appliance. \n\u2022\tUpgrade to Silver Peak Unity ECOS\u2122 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+. \n\u2022\tIn Orchestrator, enable the \u201cVerify Orchestrator Certificate\u201d option under Advanced Security Settings. \n\nSolution link - References \n The full details of the CVE can be found at https://www.cvedetails.com/cve/CVE-2020-12143. \n"
}
],
"credit": [
{
"lang": "eng",
"value": "This vulnerability was reported to Silver Peak by Denis Kolegov, Mariya Nedyak, and Anton Nikolaev from the SD-WAN New Hop team."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Summary - The certificate used to identify Orchestrator to EdgeConnect devices is not validated Details: The certificate used to identify Orchestrator to EdgeConnect devices is not validated, which makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted Orchestrator. Product affected - All versions affected prior to Silver Peak Unity ECOS\u2122 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+ 1. Silver Peak product(s) Applicability 2. Unity EdgeConnect, NX, VX Applicable 3. Unity Orchestrator Applicable 4. EdgeConnect in AWS, Azure, GCP Applicable 5. Silver Peak Cloud Services Not Applicable Resolution \u2022 Changes have been made to strengthen the initial exchange between the EdgeConnect appliance and the Orchestrator. After the changes, EdgeConnect will validate the certificate used to identify the Orchestrator to EdgeConnect. \u2022 TLS itself is continually subject to newly discovered and exploitable vulnerabilities. As such, all versions of EdgeConnect software implement additional out-of-band and user-controlled authentication mechanisms. Any required configuration \u2022 Do not change Orchestrator\u2019s IP address as discovered by the EdgeConnect appliance. \u2022 Upgrade to Silver Peak Unity ECOS\u2122 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+. \u2022 In Orchestrator, enable the \u201cVerify Orchestrator Certificate\u201d option under Advanced Security Settings."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation "
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.silver-peak.com/support/user-documentation/security-advisories",
"name": "https://www.silver-peak.com/support/user-documentation/security-advisories"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Any required configuration\n\u2022\tDo not change Orchestrator\u2019s IP address as discovered by the EdgeConnect appliance. \n\u2022\tUpgrade to Silver Peak Unity ECOS\u2122 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+. \n\u2022\tIn Orchestrator, enable the \u201cVerify Orchestrator Certificate\u201d option under Advanced Security Settings. \n\nSolution link - References \n The full details of the CVE can be found at https://www.cvedetails.com/cve/CVE-2020-12143. \n"
}
],
"source": {
"advisory": "2020 -04-24-001- 002",
"discovery": "EXTERNAL"
}
}

97
2020/12xxx/CVE-2020-12144.json
View File

@ -1,18 +1,103 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "sirt@silver-peak.com",
"ID": "CVE-2020-12144",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "The certificate used to identify the Silver Peak Cloud Portal to EdgeConnect devices is not validated "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "1. Unity EdgeConnect, NX, VX 2. Unity Orchestrator\u202f 3. EdgeConnect in AWS, Azure, GCP\u202f",
"version": {
"version_data": [
{
"version_name": "All versions affected prior to Silver Peak Unity ECOS\u2122 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+",
"version_value": "All versions affected prior to Silver Peak Unity ECOS\u2122 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+"
}
]
}
}
]
},
"vendor_name": "Silver Peak Systems, Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability was reported to Silver Peak by Denis Kolegov, Mariya Nedyak, and Anton Nikolaev from the SD-WAN New Hop team."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Details The certificate used to identify the Silver Peak Cloud Portal to EdgeConnect devices is not validated. This makes it possible for someone to establish a TLS connection from EdgeConnect to an untrusted portal. Product affected All versions affected prior to Silver Peak Unity ECOS\u2122 8.3.2+, 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+ Silver Peak Products Applicability Unity EdgeConnect, NX, VX Applicable Unity Orchestrator Applicable EdgeConnect in AWS, Azure, GCP Applicable Silver Peak Cloud Services Not Applicable Resolution \u2022 Changes have been made to strengthen the initial exchange between the EdgeConnect appliance and the Cloud Portal. After the changes, EdgeConnect will validate the certificate used to identify the Silver Peak Cloud Portal to EdgeConnect. \u2022 TLS itself is continually subject to newly discovered and exploitable vulnerabilities. As such, all versions of EdgeConnect software implement additional out-of-band and user-controlled authentication mechanisms. Any required configuration \u2022 Do not change Cloud Portal\u2019s IP address as discovered by the EdgeConnect appliance. \u2022 Upgrade to Silver Peak Unity ECOS\u2122 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+. \u2022 In Orchestrator, enable the \u201cVerify Portal Certificate\u201d option under Advanced Security Settings."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295: Improper Certificate Validation "
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "MISC",
"url": "https://www.silver-peak.com/support/user-documentation/security-advisories",
"name": "https://www.silver-peak.com/support/user-documentation/security-advisories"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Resolution \n\u2022\tChanges have been made to strengthen the initial exchange between the EdgeConnect appliance and the Cloud Portal. After the changes, EdgeConnect will validate the certificate used to identify the Silver Peak Cloud Portal to EdgeConnect. \n\n\u2022\tTLS itself is continually subject to newly discovered and exploitable vulnerabilities. As such, all versions of EdgeConnect software implement additional out-of-band and user-controlled authentication mechanisms. \n\nAny required configuration\n\u2022\tDo not change Cloud Portal\u2019s IP address as discovered by the EdgeConnect appliance. \n\u2022\tUpgrade to Silver Peak Unity ECOS\u2122 8.3.2+ or 8.1.9.12+ and Silver Peak Unity Orchestrator\u2122 8.9.2+. \n\u2022\tIn Orchestrator, enable the \u201cVerify Portal Certificate\u201d option under Advanced Security Settings. \n"
},
{
"lang": "eng",
"value": "The full details of the CVE can be found at https://www.cvedetails.com/cve/CVE-2020-12144. \n\n"
}
],
"source": {
"advisory": "2020 -04-24-001- 003",
"discovery": "EXTERNAL"
}
}