8.1
CVE-2020-25237
- EPSS 1.42%
- Veröffentlicht 09.02.2021 17:15:13
- Zuletzt bearbeitet 21.11.2024 05:17:43
- Quelle productcert@siemens.com
- Teams Watchlist Login
- Unerledigt Login
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1 Update 1), SINEMA Server (All versions < V14.0 SP2 Update 2). When uploading files to an affected system using a zip container, the system does not correctly check if the relative file path of the extracted files is still within the intended target directory. With this an attacker could create or overwrite arbitrary files on an affected system. This type of vulnerability is also known as 'Zip-Slip'. (ZDI-CAN-12054)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Siemens ≫ Sinec Network Management System Version < 1.0
Siemens ≫ Sinec Network Management System Version1.0 Update-
Siemens ≫ Sinec Network Management System Version1.0 Updatesp1
Siemens ≫ Sinema Server Version < 14.0
Siemens ≫ Sinema Server Version14.0 Update-
Siemens ≫ Sinema Server Version14.0 Updatesp1
Siemens ≫ Sinema Server Version14.0 Updatesp2
Siemens ≫ Sinema Server Version14.0 Updatesp2_update1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.42% | 0.788 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
|
| nvd@nist.gov | 5.5 | 8 | 4.9 |
AV:N/AC:L/Au:S/C:N/I:P/A:P
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.