7.1 - CVE-2020-27781

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Informations
Name	CVE-2020-27781	First vendor Publication	2020-12-18
Vendor	Cve	Last vendor Modification	2023-11-07

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Overall CVSS Score	7.1
Base Score	7.1	Environmental Score	7.1
impact SubScore	5.2	Temporal Score	7.1
Exploitabality Sub Score	1.8

Attack Vector	Local	Attack Complexity	Low
Privileges Required	Low	User Interaction	None
Scope	Unchanged	Confidentiality Impact	High
Integrity Impact	High	Availability Impact	None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:N)
Cvss Base Score	3.6	Attack Range	Local
Cvss Impact Score	4.9	Attack Complexity	Low
Cvss Expoit Score	3.9	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to an arbitrary cephx user, including existing users. The access key is retrieved via the interface drivers. Then, all users of the requesting OpenStack project can view the access key. This enables the attacker to target any resource that the user has access to. This can be done to even "admin" users, compromising the ceph administrator. This flaw affects Ceph versions prior to 14.2.16, 15.x prior to 15.2.8, and 16.x prior to 16.2.0.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27781

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-522	Insufficiently Protected Credentials (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Type	Description	Count
Application	Redhat Ceph cpe:2.3:a:redhat:ceph:13.0.1:::::::* cpe:2.3:a:redhat:ceph:13.0.0:::::::* cpe:2.3:a:redhat:ceph::::::::	3
Application	Redhat Ceph Storage cpe:2.3:a:redhat:ceph_storage:4.0:::::::* cpe:2.3:a:redhat:ceph_storage:3.0:::::::* cpe:2.3:a:redhat:ceph_storage:2.0:::::::*	3
Application	Redhat Openshift Container Platform cpe:2.3:a:redhat:openshift_container_platform:4.0:::::::*	1
Application	Redhat Openstack Platform cpe:2.3:a:redhat:openstack_platform:13.0:::::::*	1
Os	Fedoraproject Fedora cpe:2.3:o:fedoraproject:fedora:33:::::::*	1

Sources (Detail)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...

Source	Url
GENTOO	https://security.gentoo.org/glsa/202105-39
MISC	https://bugzilla.redhat.com/show_bug.cgi?id=1900109
MLIST	https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html

Alert History

If you want to see full details history, please login or register.

Date	Informations
2023-11-07 21:36:10	Multiple Updates
2023-10-24 00:28:09	Multiple Updates
2021-06-04 00:23:05	Multiple Updates
2021-05-27 09:23:20	Multiple Updates
2021-05-04 13:52:59	Multiple Updates
2021-04-22 03:03:42	Multiple Updates
2021-01-03 09:22:49	Multiple Updates
2020-12-29 05:22:50	Multiple Updates
2020-12-23 09:23:01	Multiple Updates
2020-12-19 09:22:51	Multiple Updates
2020-12-19 05:22:49	First insertion

Type	Count
CWE ID(s)	1
CPE ID(s)	9
Sources(s)	4

7.1 - CVE-2020-27781

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

CPE : Common Platform Enumeration

Sources (Detail)

Alert History

Global Informations

Open Standards

COMPANY

STANDARDS

RECENT POSTS

MENU