Details of VAR-202006-1604

ID

VAR-202006-1604

CVE

CVE-2020-7932

TITLE

OMERO.web information disclosure vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-20275 // CNNVD: CNNVD-202006-1194

DESCRIPTION

OMERO.web before 5.6.3 optionally allows sensitive data elements (e.g., a session key) to be passed as URL query parameters. If an attacker tricks a user into clicking a malicious link in OMERO.web, the information in the query parameters may be exposed in the Referer header seen by the target. Information in the URL path such as object IDs may also be exposed. OMERO.web There is an information leakage vulnerability in.Information may be obtained. OMERO.web is a client program of the Open Microscopy Environment team for viewing images on the OMERO server from a web browser. Attackers can use this vulnerability to obtain information by enticing users to click a malicious link in OMERO.web

Trust: 2.16

sources: NVD: CVE-2020-7932 // JVNDB: JVNDB-2020-006938 // CNVD: CNVD-2021-20275

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-20275

AFFECTED PRODUCTS

vendor:	openmicroscopy	model:	omero.web	scope:	lt	version:	5.6.3	Trust: 1.0
vendor:	open microscopy environment	model:	omero.web	scope:	eq	version:	5.6.3	Trust: 0.8
vendor:	open	model:	microscopy environment omero.web	scope:	lt	version:	5.6.3	Trust: 0.6

sources: CNVD: CNVD-2021-20275 // JVNDB: JVNDB-2020-006938 // NVD: CVE-2020-7932

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-7932
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-006938
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-20275
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202006-1194
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-7932
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-006938
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2021-20275
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-7932
baseSeverity:	MEDIUM
baseScore:	5.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.1
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-006938
baseSeverity:	MEDIUM
baseScore:	5.7
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-20275 // JVNDB: JVNDB-2020-006938 // CNNVD: CNNVD-202006-1194 // NVD: CVE-2020-7932

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2020-006938 // NVD: CVE-2020-7932

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-1194

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202006-1194

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-006938

PATCH

title:	2019-SV4 Web Referrer Leakage	url:	https://www.openmicroscopy.org/security/advisories/2019-SV4/	Trust: 0.8
title:	Patch for OMERO.web information disclosure vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/253796	Trust: 0.6
title:	OMERO.web Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=122559	Trust: 0.6

sources: CNVD: CNVD-2021-20275 // JVNDB: JVNDB-2020-006938 // CNNVD: CNNVD-202006-1194

EXTERNAL IDS

db:	NVD	id:	CVE-2020-7932	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-006938	Trust: 0.8
db:	CNVD	id:	CNVD-2021-20275	Trust: 0.6
db:	CNNVD	id:	CNNVD-202006-1194	Trust: 0.6

sources: CNVD: CNVD-2021-20275 // JVNDB: JVNDB-2020-006938 // CNNVD: CNNVD-202006-1194 // NVD: CVE-2020-7932

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-7932	Trust: 2.0
url:	https://www.openmicroscopy.org/security/advisories/2019-sv4/	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-7932	Trust: 0.8

sources: CNVD: CNVD-2021-20275 // JVNDB: JVNDB-2020-006938 // CNNVD: CNNVD-202006-1194 // NVD: CVE-2020-7932

SOURCES

db:	CNVD	id:	CNVD-2021-20275
db:	JVNDB	id:	JVNDB-2020-006938
db:	CNNVD	id:	CNNVD-202006-1194
db:	NVD	id:	CVE-2020-7932

LAST UPDATE DATE

2024-11-23T23:01:21.347000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-20275	date:	2021-03-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-006938	date:	2020-07-22T00:00:00
db:	CNNVD	id:	CNNVD-202006-1194	date:	2020-06-28T00:00:00
db:	NVD	id:	CVE-2020-7932	date:	2024-11-21T05:38:02.157

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-20275	date:	2021-03-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-006938	date:	2020-07-22T00:00:00
db:	CNNVD	id:	CNNVD-202006-1194	date:	2020-06-17T00:00:00
db:	NVD	id:	CVE-2020-7932	date:	2020-06-17T17:15:10.753