Sign-up

ID

VAR-202004-1806


CVE

CVE-2020-8146


TITLE

UniFi Video Vulnerability related to authority management in

Trust: 0.8

sources: JVNDB: JVNDB-2020-003639

DESCRIPTION

In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the windows registry when installing UniFi-Video controller. Affected Products: UniFi Video Controller v3.10.2 (for Windows 7/8/10 x64) and prior. Fixed in UniFi Video Controller v3.10.3 and newer. UniFi Video Exists in a privilege management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state

Trust: 1.62

sources: NVD: CVE-2020-8146 // JVNDB: JVNDB-2020-003639

AFFECTED PRODUCTS

vendor:uimodel:unifi videoscope:lteversion:3.10.2

Trust: 1.0

vendor:ubiquitimodel:unifi videoscope:eqversion:3.10.1

Trust: 0.8

sources: JVNDB: JVNDB-2020-003639 // NVD: CVE-2020-8146

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-8146
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-003639
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202004-059
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2020-8146
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-003639
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

nvd@nist.gov: CVE-2020-8146
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-003639
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2020-003639 // CNNVD: CNNVD-202004-059 // NVD: CVE-2020-8146

PROBLEMTYPE DATA

problemtype:CWE-427

Trust: 1.0

problemtype:CWE-269

Trust: 0.8

sources: JVNDB: JVNDB-2020-003639 // NVD: CVE-2020-8146

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202004-059

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202004-059

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-003639

PATCH
title:Security advisory bulletin 006url:https://community.ui.com/releases/Security-advisory-bulletin-006-006/3cf6264e-e0e6-4e26-a331-1d271f84673e
Trust: 0.8
title:UniFi Video Controller Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=113197
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-003639 // 
            
            
            
            CNNVD: CNNVD-202004-059

EXTERNAL IDS
db:NVDid:CVE-2020-8146
Trust: 2.4
db:JVNDBid:JVNDB-2020-003639
Trust: 0.8
db:CNNVDid:CNNVD-202004-059
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-003639 // 
            
            
            
            CNNVD: CNNVD-202004-059 // 
            
            
            
            NVD: CVE-2020-8146

REFERENCES
url:https://community.ui.com/releases/security-advisory-bulletin-006-006/3cf6264e-e0e6-4e26-a331-1d271f84673e
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-8146
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-8146
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-003639 // 
            
            
            
            CNNVD: CNNVD-202004-059 // 
            
            
            
            NVD: CVE-2020-8146

SOURCES
db:JVNDBid:JVNDB-2020-003639
db:CNNVDid:CNNVD-202004-059
db:NVDid:CVE-2020-8146

LAST UPDATE DATE
2024-11-23T23:04:24.653000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2020-003639date:2020-04-21T00:00:00
db:CNNVDid:CNNVD-202004-059date:2020-04-08T00:00:00
db:NVDid:CVE-2020-8146date:2024-11-21T05:38:22.950

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2020-003639date:2020-04-21T00:00:00
db:CNNVDid:CNNVD-202004-059date:2020-04-01T00:00:00
db:NVDid:CVE-2020-8146date:2020-04-01T23:15:13.953