CVE-2020-7982

Опубликовано: 16 мар. 2020

Источник: nvd

CVSS3: 8.1

CVSS2: 6.8

EPSS Низкий

Описание

An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification).

Ссылки

https://arstechnica.com/information-technology/2020/03/openwrt-is-vulnerable-to-attacks-that-execute-malicious-code/
Exploit
Press/Media Coverage
Third Party Advisory
https://blog.forallsecure.com/uncovering-openwrt-remote-code-execution-cve-2020-7982
Exploit
Third Party Advisory
https://github.com/openwrt/openwrt/commits/master
Patch
Third Party Advisory
https://openwrt.org/advisory/2020-01-31-1
Vendor Advisory
https://arstechnica.com/information-technology/2020/03/openwrt-is-vulnerable-to-attacks-that-execute-malicious-code/
Exploit
Press/Media Coverage
Third Party Advisory
https://blog.forallsecure.com/uncovering-openwrt-remote-code-execution-cve-2020-7982
Exploit
Third Party Advisory
https://github.com/openwrt/openwrt/commits/master
Patch
Third Party Advisory
https://openwrt.org/advisory/2020-01-31-1
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:openwrt:lede:*:*:*:*:*:*:*:*

Версия от 17.01.0 (включая) до 17.01.7 (включая)

cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*

Версия от 18.06.0 (включая) до 18.06.7 (исключая)

cpe:2.3:o:openwrt:openwrt:19.07.0:-:*:*:*:*:*:*

EPSS

Процентиль: 89%

0.04368

Низкий

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-345

Связанные уязвимости

GHSA-573w-86fx-gf5p