CVE-2020-12878

Опубликовано: 18 фев. 2021

Источник: nvd

CVSS3: 7.8

CVSS2: 7.2

EPSS Низкий

Описание

Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/python/.ssh directory.

Ссылки

https://github.com/fireeye/Vulnerability-Disclosures
Third Party Advisory
https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2020-0020/FEYE-2020-0020.md
Exploit
Third Party Advisory
https://www.digi.com/support/productdetail?pid=5570
Release Notes
Vendor Advisory
https://github.com/fireeye/Vulnerability-Disclosures
Third Party Advisory
https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2020-0020/FEYE-2020-0020.md
Exploit
Third Party Advisory
https://www.digi.com/support/productdetail?pid=5570
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:digi:connectport_x2e_firmware:*:*:*:*:*:*:*:*

Версия до 3.2.30.6 (исключая)

cpe:2.3:h:digi:connectport_x2e:-:*:*:*:*:*:*:*

EPSS

Процентиль: 27%

0.00097

Низкий

7.8 High

CVSS3

7.2 High

CVSS2

Дефекты

CWE-59

Связанные уязвимости

GHSA-75cr-rjwp-w5rp

github

больше 3 лет назад