From bf9c5b8291f602618a1626814f2e6d2bd4e6f4ae Mon Sep 17 00:00:00 2001 From: CVE Team Date: Wed, 29 Jul 2020 14:01:29 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2020/14xxx/CVE-2020-14486.json | 100 +++++++++++++++++++++++++++++--- 2020/14xxx/CVE-2020-14487.json | 102 ++++++++++++++++++++++++++++++--- 2020/14xxx/CVE-2020-14488.json | 100 +++++++++++++++++++++++++++++--- 2020/15xxx/CVE-2020-15497.json | 2 +- 2020/2xxx/CVE-2020-2076.json | 50 +++++++++++++++- 2020/2xxx/CVE-2020-2077.json | 50 +++++++++++++++- 2020/2xxx/CVE-2020-2078.json | 50 +++++++++++++++- 2020/8xxx/CVE-2020-8203.json | 5 ++ 8 files changed, 428 insertions(+), 31 deletions(-) diff --git a/2020/14xxx/CVE-2020-14486.json b/2020/14xxx/CVE-2020-14486.json index 0ed0911c754..52d2553cd02 100644 --- a/2020/14xxx/CVE-2020-14486.json +++ b/2020/14xxx/CVE-2020-14486.json @@ -1,18 +1,104 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2020-07-02T00:00:00.000Z", "ID": "CVE-2020-14486", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "OpenClinic GA" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "OpenClinic GA", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "5.09.02" + }, + { + "version_affected": "=", + "version_value": "5.89.05b" + } + ] + } + } + ] + }, + "vendor_name": "open source" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Brian D. Hysell reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An attacker may bypass permission/authorization checks in OpenClinic GA 5.09.02 and 5.89.05b by ignoring the redirect of a permission failure, which may allow unauthorized execution of commands." } ] - } + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 6.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "IMPROPER AUTHORIZATION CWE-285" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01", + "name": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01" + } + ] + }, + "source": { + "advisory": "ICSMA-20-184-01 OpenClinic GA", + "discovery": "EXTERNAL" + }, + "work_around": [ + { + "lang": "eng", + "value": "OpenClinic GA is aware of these vulnerabilities but has not provided any confirmation of their resolution. Please upgrade to the latest version to ensure you have all current fixes." + } + ] } \ No newline at end of file diff --git a/2020/14xxx/CVE-2020-14487.json b/2020/14xxx/CVE-2020-14487.json index 63e829af57e..ef7172b247f 100644 --- a/2020/14xxx/CVE-2020-14487.json +++ b/2020/14xxx/CVE-2020-14487.json @@ -1,18 +1,106 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2020-07-02T00:00:00.000Z", "ID": "CVE-2020-14487", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "OpenClinic GA" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "OpenClinic GA", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "5.09.02" + } + ] + } + } + ] + }, + "vendor_name": "open source" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Brian D. Hysell reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "OpenClinic GA 5.09.02 contains a hidden default user account that may be accessed if an administrator has not expressly turned off this account, which may allow an attacker to login and execute arbitrary commands." } ] - } + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "LOW", + "baseScore": 9.4, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "HIDDEN FUNCTIONALITY CWE-912" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01", + "name": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01" + } + ] + }, + "solution": [ + { + "lang": "eng", + "value": "Update to version 5.89.05b or newer." + } + ], + "source": { + "advisory": "ICSMA-20-184-01 OpenClinic GA", + "discovery": "EXTERNAL" + }, + "work_around": [ + { + "lang": "eng", + "value": "OpenClinic GA is aware of these vulnerabilities but has not provided any confirmation of their resolution. Please upgrade to the latest version to ensure you have all current fixes." + } + ] } \ No newline at end of file diff --git a/2020/14xxx/CVE-2020-14488.json b/2020/14xxx/CVE-2020-14488.json index bc2a140e3bc..52bfcdd3eb1 100644 --- a/2020/14xxx/CVE-2020-14488.json +++ b/2020/14xxx/CVE-2020-14488.json @@ -1,18 +1,104 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "ics-cert@hq.dhs.gov", + "DATE_PUBLIC": "2020-07-02T00:00:00.000Z", "ID": "CVE-2020-14488", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "OpenClinic GA" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "OpenClinic GA", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "5.09.02" + }, + { + "version_affected": "=", + "version_value": "5.89.05b" + } + ] + } + } + ] + }, + "vendor_name": "open source" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Brian D. Hysell reported these vulnerabilities to CISA." + } + ], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "OpenClinic GA 5.09.02 and 5.89.05b does not properly verify uploaded files, which may allow a low-privilege user to upload and execute arbitrary files on the system." } ] - } + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 8.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "url": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01", + "name": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01" + } + ] + }, + "source": { + "advisory": "ICSMA-20-184-01 OpenClinic GA", + "discovery": "EXTERNAL" + }, + "work_around": [ + { + "lang": "eng", + "value": "OpenClinic GA is aware of these vulnerabilities but has not provided any confirmation of their resolution. Please upgrade to the latest version to ensure you have all current fixes." + } + ] } \ No newline at end of file diff --git a/2020/15xxx/CVE-2020-15497.json b/2020/15xxx/CVE-2020-15497.json index c77a2042973..346e34da229 100644 --- a/2020/15xxx/CVE-2020-15497.json +++ b/2020/15xxx/CVE-2020-15497.json @@ -34,7 +34,7 @@ "description_data": [ { "lang": "eng", - "value": "jcore/portal/ajaxPortal.jsp in Jalios JCMS 10.0.2 build-20200224104759 allows XSS via the types parameter." + "value": "** DISPUTED ** jcore/portal/ajaxPortal.jsp in Jalios JCMS 10.0.2 build-20200224104759 allows XSS via the types parameter. Note: It is asserted that this vulnerability is not present in the standard installation of Jalios JCMS." } ] }, diff --git a/2020/2xxx/CVE-2020-2076.json b/2020/2xxx/CVE-2020-2076.json index 8dd6ac7e825..714314e7c0b 100644 --- a/2020/2xxx/CVE-2020-2076.json +++ b/2020/2xxx/CVE-2020-2076.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-2076", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@sick.de", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "SICK Package Analytics", + "version": { + "version_data": [ + { + "version_value": "<=V04.0.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Authentication Bypass Using an Alternate Path or Channel" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://www.sick.com/de/en/service-and-support/the-sick-product-security-incident-response-team-sick-psirt/w/psirt/#advisories", + "url": "https://www.sick.com/de/en/service-and-support/the-sick-product-security-incident-response-team-sick-psirt/w/psirt/#advisories" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SICK Package Analytics software up to and including version V04.0.0 are vulnerable to an authentication bypass by directly interfacing with the REST API. An attacker can send unauthorized requests, bypass current authentication controls presented by the application and could potentially write files without authentication." } ] } diff --git a/2020/2xxx/CVE-2020-2077.json b/2020/2xxx/CVE-2020-2077.json index c1a9b70f4f9..53da59af510 100644 --- a/2020/2xxx/CVE-2020-2077.json +++ b/2020/2xxx/CVE-2020-2077.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-2077", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@sick.de", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "SICK Package Analytics", + "version": { + "version_data": [ + { + "version_value": "<=V04.0.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Incorrect Default Permissions" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://www.sick.com/de/en/service-and-support/the-sick-product-security-incident-response-team-sick-psirt/w/psirt/#advisories", + "url": "https://www.sick.com/de/en/service-and-support/the-sick-product-security-incident-response-team-sick-psirt/w/psirt/#advisories" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "SICK Package Analytics software up to and including version V04.0.0 are vulnerable due to incorrect default permissions settings. An unauthorized attacker could read sensitive data from the system by querying for known files using the REST API directly." } ] } diff --git a/2020/2xxx/CVE-2020-2078.json b/2020/2xxx/CVE-2020-2078.json index f5c32c989d6..1aa20258f21 100644 --- a/2020/2xxx/CVE-2020-2078.json +++ b/2020/2xxx/CVE-2020-2078.json @@ -4,14 +4,58 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2020-2078", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@sick.de", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "n/a", + "product": { + "product_data": [ + { + "product_name": "SICK Package Analytics", + "version": { + "version_data": [ + { + "version_value": "<=V04.1.1" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Cleartext Storage of Sensitive Information" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "MISC", + "name": "https://www.sick.com/de/en/service-and-support/the-sick-product-security-incident-response-team-sick-psirt/w/psirt/#advisories", + "url": "https://www.sick.com/de/en/service-and-support/the-sick-product-security-incident-response-team-sick-psirt/w/psirt/#advisories" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Passwords are stored in plain text within the configuration of SICK Package Analytics software up to and including V04.1.1. An authorized attacker could access these stored plaintext credentials and gain access to the ftp service. Storing a password in plaintext allows attackers to easily gain access to systems, potentially compromising personal information or other sensitive information." } ] } diff --git a/2020/8xxx/CVE-2020-8203.json b/2020/8xxx/CVE-2020-8203.json index 3f5c12c533f..6dedc269df0 100644 --- a/2020/8xxx/CVE-2020-8203.json +++ b/2020/8xxx/CVE-2020-8203.json @@ -53,6 +53,11 @@ "refsource": "CONFIRM", "name": "https://security.netapp.com/advisory/ntap-20200724-0006/", "url": "https://security.netapp.com/advisory/ntap-20200724-0006/" + }, + { + "refsource": "MISC", + "name": "https://github.com/lodash/lodash/issues/4874", + "url": "https://github.com/lodash/lodash/issues/4874" } ] },