CVE-2020-5281

EPSS 0.36%
Published 25.03.2020 18:15:14
Last modified 21.11.2024 05:33:49
Source security-advisories@github.com
Teams watchlist Login
Open Login

In Perun before version 3.9.1, VO or group manager can modify configuration of the LDAP extSource to retrieve all from Perun LDAP. Issue is fixed in version 3.9.1 by sanitisation of the input.

Affected products Warnungen 0 Metrics 4 CWE 2 References 6

Data is provided by the National Vulnerability Database (NVD)

Cesnet ≫ Perun Version < 3.9.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.36%	0.549

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
security-advisories@github.com	6.2	1	4.7	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

https://github.com/CESNET/perun/commit/ac527bc3225a64208ee5cee59e5918ee360ca039

Patch

Third Party Advisory

https://github.com/CESNET/perun/pull/2635

Patch

Third Party Advisory

https://github.com/CESNET/perun/security/advisories/GHSA-gj88-9q3f-72m3

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-5281

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-5281

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-5281

EUVD