Details of VAR-202007-0651

ID

VAR-202007-0651

CVE

CVE-2020-15860

TITLE

Parallels Remote Application Server Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-008823

DESCRIPTION

Parallels Remote Application Server (RAS) 17.1.1 has a Business Logic Error causing remote code execution. It allows an authenticated user to execute any application in the backend operating system through the web application, despite the affected application not being published. In addition, it was discovered that it is possible to access any host in the internal domain, even if it has no published applications or the mentioned host is no longer associated with that server farm. (DoS) It may be put into a state

Trust: 1.71

sources: NVD: CVE-2020-15860 // JVNDB: JVNDB-2020-008823 // VULMON: CVE-2020-15860

AFFECTED PRODUCTS

vendor:

parallels

model:

remote application server

scope:

version:

17.1.1

Trust: 1.8

sources: JVNDB: JVNDB-2020-008823 // NVD: CVE-2020-15860

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2020-15860
value:	CRITICAL
Trust: 1.0
NVD:	JVNDB-2020-008823
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202007-1520
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2020-15860
value:	MEDIUM
Trust: 0.1

NVD:
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-008823
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULMON:	CVE-2020-15860
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

NVD:
baseSeverity:	CRITICAL
baseScore:	9.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.1
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-008823
baseSeverity:	CRITICAL
baseScore:	9.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2020-15860 // JVNDB: JVNDB-2020-008823 // NVD: CVE-2020-15860 // CNNVD: CNNVD-202007-1520

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2020-008823 // NVD: CVE-2020-15860

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-1520

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202007-1520

CONFIGURATIONS

sources: NVD: CVE-2020-15860

PATCH

title:	Parallels RAS	url:	https://www.parallels.com/products/ras/remote-application-server/	Trust: 0.8
title:	Remote Application Server Vulnerability - CVE-2020-15860	url:	https://kb.parallels.com/en/125112	Trust: 0.8
title:	-	url:	https://github.com/live-hack-cve/cve-2020-15860	Trust: 0.1

sources: VULMON: CVE-2020-15860 // JVNDB: JVNDB-2020-008823

EXTERNAL IDS

db:	NVD	id:	CVE-2020-15860	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-008823	Trust: 0.8
db:	NSFOCUS	id:	47900	Trust: 0.6
db:	CNNVD	id:	CNNVD-202007-1520	Trust: 0.6
db:	VULMON	id:	CVE-2020-15860	Trust: 0.1

sources: VULMON: CVE-2020-15860 // JVNDB: JVNDB-2020-008823 // NVD: CVE-2020-15860 // CNNVD: CNNVD-202007-1520

REFERENCES

url:	https://www.coresecurity.com/core-labs/advisories/parallels-ras-os-command-execution	Trust: 1.7
url:	https://www.parallels.com/products/ras/remote-application-server/	Trust: 1.7
url:	https://kb.parallels.com/en/125112	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-15860	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-15860	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/47900	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://github.com/live-hack-cve/cve-2020-15860	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2020-15860 // JVNDB: JVNDB-2020-008823 // NVD: CVE-2020-15860 // CNNVD: CNNVD-202007-1520

SOURCES

db:	VULMON	id:	CVE-2020-15860
db:	JVNDB	id:	JVNDB-2020-008823
db:	NVD	id:	CVE-2020-15860
db:	CNNVD	id:	CNNVD-202007-1520

LAST UPDATE DATE

2023-12-18T13:28:02.342000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2020-15860	date:	2023-01-20T00:00:00
db:	JVNDB	id:	JVNDB-2020-008823	date:	2020-09-28T00:00:00
db:	NVD	id:	CVE-2020-15860	date:	2023-01-20T20:49:37.590
db:	CNNVD	id:	CNNVD-202007-1520	date:	2020-09-17T00:00:00

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2020-15860	date:	2020-07-24T00:00:00
db:	JVNDB	id:	JVNDB-2020-008823	date:	2020-09-28T00:00:00
db:	NVD	id:	CVE-2020-15860	date:	2020-07-24T16:15:11.973
db:	CNNVD	id:	CNNVD-202007-1520	date:	2020-07-24T00:00:00