Auto-merge PR#4300

2025-08-04 08:44:25 +00:00 · 2020-07-14 16:42:16 -04:00 · 2020-07-14 16:42:16 -04:00 · b7b72041db
commit b7b72041db
parent 48ae406266 8e25a19435
1 changed files with 76 additions and 6 deletions
--- a/2020/5xxx/CVE-2020-5246.json
+++ b/2020/5xxx/CVE-2020-5246.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-5246",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "LDAP injection vulnerability in Traccar GPS Tracking System"
    },
-    "description": {
-        "description_data": [
+    "affects": {
+        "vendor": {
+            "vendor_data": [
                {
-                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "Traccar",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 4.9"
                                        }
                                    ]
                                }
                            }
+                        ]
+                    },
+                    "vendor_name": "Traccar"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
+    "description": {
+        "description_data": [
+            {
+                "lang": "eng",
+                "value": "Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges.\n\nThe issue only impacts instances with LDAP configuration and where users can craft their own names.\n\nThis has been patched in version 4.9."
+            }
+        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "NONE",
+            "baseScore": 7.7,
+            "baseSeverity": "HIGH",
+            "confidentialityImpact": "NONE",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "LOW",
+            "scope": "CHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/traccar/traccar/security/advisories/GHSA-v955-7g22-2p49",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/traccar/traccar/security/advisories/GHSA-v955-7g22-2p49"
+            },
+            {
+                "name": "https://github.com/traccar/traccar/commit/e4f6e74e57ab743b65d49ae00f6624a20ca0291e",
+                "refsource": "MISC",
+                "url": "https://github.com/traccar/traccar/commit/e4f6e74e57ab743b65d49ae00f6624a20ca0291e"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-v955-7g22-2p49",
+        "discovery": "UNKNOWN"
+    }
+}