exploitDog

CVE-2020-6939

Опубликовано: 23 нояб. 2020

Источник: nvd

CVSS3: 9.8

CVSS2: 10

EPSS Низкий

Описание

Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. If exploited, this could allow a malicious user to configure Site-Specific SAML settings and could lead to account takeover for users of that site. Tableau Server versions affected on both Windows and Linux are: 2018.2 through 2018.2.27, 2018.3 through 2018.3.24, 2019.1 through 2019.1.22, 2019.2 through 2019.2.18, 2019.3 through 2019.3.14, 2019.4 through 2019.4.13, 2020.1 through 2020.1.10, 2020.2 through 2020.2.7, and 2020.3 through 2020.3.2.

Ссылки

https://help.salesforce.com/articleView?id=000355686&type=1&mode=1
Third Party Advisory
https://help.salesforce.com/articleView?id=000355686&type=1&mode=1
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*

Версия от 2018.2 (включая) до 2018.2.27 (включая)

cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*

Версия от 2018.3 (включая) до 2018.3.24 (включая)

cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*

Версия от 2019.1 (включая) до 2019.1.22 (включая)

cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*

Версия от 2019.2 (включая) до 2019.2.18 (включая)

cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*

Версия от 2019.3 (включая) до 2019.3.14 (включая)

cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*

Версия от 2019.4 (включая) до 2019.4.13 (включая)

cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*

Версия от 2020.1 (включая) до 2020.1.10 (включая)

cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*

Версия от 2020.2 (включая) до 2020.2.7 (включая)

cpe:2.3:a:tableau:tableau_server:*:*:*:*:*:*:*:*

Версия от 2020.3 (включая) до 2020.3.2 (включая)

EPSS

Процентиль: 80%

0.01355

Низкий

9.8 Critical

CVSS3

10 Critical

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

GHSA-5996-m95h-vq3m

github

больше 3 лет назад

Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. If exploited, this could allow a malicious user to configure Site-Specific SAML settings and could lead to account takeover for users of that site. Tableau Server versions affected on both Windows and Linux are: 2018.2 through 2018.2.27, 2018.3 through 2018.3.24, 2019.1 through 2019.1.22, 2019.2 through 2019.2.18, 2019.3 through 2019.3.14, 2019.4 through 2019.4.13, 2020.1 through 2020.1.10, 2020.2 through 2020.2.7, and 2020.3 through 2020.3.2.

EPSS

Процентиль: 80%

0.01355

Низкий

9.8 Critical

CVSS3

10 Critical

CVSS2

Дефекты

NVD-CWE-noinfo