CVE-2020-29668

Опубликовано: 10 дек. 2020

Источник: nvd

CVSS3: 3.7

CVSS2: 4.3

EPSS Низкий

Описание

Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.

Ссылки

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020
Mailing List
Third Party Advisory
https://github.com/sympa-community/sympa/blob/6.2.59b.2/NEWS.md
Release Notes
Third Party Advisory
https://github.com/sympa-community/sympa/issues/1041
Exploit
Patch
Third Party Advisory
https://github.com/sympa-community/sympa/pull/1044
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00026.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFZWDEKQFW3EH665OECDWIWM2MI7T53Y/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JICIHAJKKCZXJNIICUDYXGZFQCN6J4U6/
https://www.debian.org/security/2020/dsa-4818
Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020
Mailing List
Third Party Advisory
https://github.com/sympa-community/sympa/blob/6.2.59b.2/NEWS.md
Release Notes
Third Party Advisory
https://github.com/sympa-community/sympa/issues/1041
Exploit
Patch
Third Party Advisory
https://github.com/sympa-community/sympa/pull/1044
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00026.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFZWDEKQFW3EH665OECDWIWM2MI7T53Y/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JICIHAJKKCZXJNIICUDYXGZFQCN6J4U6/
https://www.debian.org/security/2020/dsa-4818
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sympa:sympa:*:*:*:*:*:*:*:*

Версия до 6.2.58 (включая)

cpe:2.3:a:sympa:sympa:6.2.59:beta1:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 77%

0.01039

Низкий

3.7 Low

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-287

Связанные уязвимости

CVE-2020-29668

CVSS3: 3.7

ubuntu

около 5 лет назад

Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.

CVE-2020-29668

CVSS3: 3.7

debian

около 5 лет назад

Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API ...

GHSA-wrwc-95g6-4fm3

CVSS3: 3.7

github

больше 3 лет назад

Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.

BDU:2021-01729

CVSS3: 3.7

fstec

около 5 лет назад

Уязвимость функции authenticateAndRun менеджера электронных списков рассылки Sympa, связанная с недостатком механизма аутентификации, позволяющая нарушителю получить доступ к конфиденциальным данным

EPSS

Процентиль: 77%

0.01039

Низкий

3.7 Low

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-287