Details of VAR-202008-0561

ID

VAR-202008-0561

CVE

CVE-2020-24703

TITLE

plural WSO2 Product vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-010579

DESCRIPTION

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1. plural WSO2 The product contains unspecified vulnerabilities.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. There are security vulnerabilities in WSO2 products, which originate from the ability of Carbon management console to send cookie information to attackers. There is a security vulnerability in WSO2 products

Trust: 2.25

sources: NVD: CVE-2020-24703 // JVNDB: JVNDB-2020-010579 // CNNVD: CNNVD-202008-1347 // VULHUB: VHN-178608

AFFECTED PRODUCTS

vendor:	wso2	model:	iot server	scope:	eq	version:	3.3.0	Trust: 1.8
vendor:	wso2	model:	iot server	scope:	eq	version:	3.3.1	Trust: 1.8
vendor:	wso2	model:	identity server analytics	scope:	eq	version:	5.5.0	Trust: 1.0
vendor:	wso2	model:	identity server	scope:	eq	version:	5.8.0	Trust: 1.0
vendor:	wso2	model:	enterprise integrator	scope:	lte	version:	6.6.0	Trust: 1.0
vendor:	wso2	model:	api manager analytics	scope:	eq	version:	2.2.0	Trust: 1.0
vendor:	wso2	model:	identity server	scope:	eq	version:	5.5.0	Trust: 1.0
vendor:	wso2	model:	api microgateway	scope:	eq	version:	2.2.0	Trust: 1.0
vendor:	wso2	model:	data analytics server	scope:	eq	version:	3.2.0	Trust: 1.0
vendor:	wso2	model:	api manager	scope:	eq	version:	2.2.0	Trust: 1.0
vendor:	wso2	model:	identity server as key manager	scope:	eq	version:	5.5.0	Trust: 1.0
vendor:	wso2	model:	api manager	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	api manager analytics	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	api microgateway	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	data analytics server	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	enterprise integrator	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	identity server	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	identity server analytics	scope:	-	version:	-	Trust: 0.8
vendor:	wso2	model:	identity server as key manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-010579 // NVD: CVE-2020-24703

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-24703
value:	HIGH
Trust: 1.0
cve@mitre.org:	CVE-2020-24703
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-24703
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202008-1347
value:	HIGH
Trust: 0.6
VULHUB:	VHN-178608
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-24703
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-178608
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-24703
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2020-010579
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-178608 // JVNDB: JVNDB-2020-010579 // CNNVD: CNNVD-202008-1347 // NVD: CVE-2020-24703 // NVD: CVE-2020-24703

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-010579 // NVD: CVE-2020-24703

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202008-1347

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202008-1347

PATCH

title:	WSO2-2020-0687	url:	https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0687	Trust: 0.8
title:	WSO2 Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=127962	Trust: 0.6

sources: JVNDB: JVNDB-2020-010579 // CNNVD: CNNVD-202008-1347

EXTERNAL IDS

db:	NVD	id:	CVE-2020-24703	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-010579	Trust: 0.8
db:	CNNVD	id:	CNNVD-202008-1347	Trust: 0.7
db:	VULHUB	id:	VHN-178608	Trust: 0.1

sources: VULHUB: VHN-178608 // JVNDB: JVNDB-2020-010579 // CNNVD: CNNVD-202008-1347 // NVD: CVE-2020-24703

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2020-24703	Trust: 1.4
url:	https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/wso2-2020-0687/	Trust: 1.0
url:	https://docs.wso2.com/display/security/security+advisory+wso2-2020-0687	Trust: 0.7

sources: VULHUB: VHN-178608 // JVNDB: JVNDB-2020-010579 // CNNVD: CNNVD-202008-1347 // NVD: CVE-2020-24703

SOURCES

db:	VULHUB	id:	VHN-178608
db:	JVNDB	id:	JVNDB-2020-010579
db:	CNNVD	id:	CNNVD-202008-1347
db:	NVD	id:	CVE-2020-24703

LAST UPDATE DATE

2024-11-23T22:55:05.673000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-178608	date:	2020-09-08T00:00:00
db:	JVNDB	id:	JVNDB-2020-010579	date:	2021-01-28T07:56:00
db:	CNNVD	id:	CNNVD-202008-1347	date:	2021-01-05T00:00:00
db:	NVD	id:	CVE-2020-24703	date:	2024-11-21T05:15:52.450

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-178608	date:	2020-08-27T00:00:00
db:	JVNDB	id:	JVNDB-2020-010579	date:	2021-01-28T00:00:00
db:	CNNVD	id:	CNNVD-202008-1347	date:	2020-08-27T00:00:00
db:	NVD	id:	CVE-2020-24703	date:	2020-08-27T16:15:11.583