9.1
CVE-2020-11016
- EPSS 2.33%
- Veröffentlicht 30.04.2020 23:15:11
- Zuletzt bearbeitet 21.11.2024 04:56:35
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginRemote code execution in Message sending functionality in IntelMQ Manager
IntelMQ Manager from version 1.1.0 and before version 2.1.1 has a vulnerability where the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver. Version 2.1.1 fixes the vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Intelmq Manager Project ≫ Intelmq Manager Version >= 1.1.0 < 2.1.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.33% | 0.813 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
| security-advisories@github.com | 9.1 | 3.1 | 5.3 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
https://github.com/certtools/intelmq-manager/commit/b9a2ac43a4f99d764b827108f6a99dc4a9faa013
https://github.com/certtools/intelmq-manager/releases/tag/2.1.1
https://github.com/certtools/intelmq-manager/security/advisories/GHSA-rrhh-rcgp-q2m2
https://lists.cert.at/pipermail/intelmq-users/2020-April/000161.html