Sign-up

ID

VAR-202012-1096


CVE

CVE-2020-35710


TITLE

Parallels  of  Remote Application Server  Vulnerability regarding information leakage in

Trust: 0.8

sources: JVNDB: JVNDB-2020-018249

DESCRIPTION

Parallels Remote Application Server (RAS) 18 allows remote attackers to discover an intranet IP address because submission of the login form (even with blank credentials) provides this address to the attacker's client for use as a "host" value. In other words, after an attacker's web browser sent a request to the login form, it would automatically send a second request to a RASHTML5Gateway/socket.io URI with something like "host":"192.168.###.###" in the POST data. Parallels of Remote Application Server There is a vulnerability related to information leakage.Information may be obtained

Trust: 1.62

sources: NVD: CVE-2020-35710 // JVNDB: JVNDB-2020-018249

AFFECTED PRODUCTS

vendor:parallelsmodel:remote application serverscope:eqversion:18.0

Trust: 1.8

vendor:parallelsmodel:remote application serverscope: - version: -

Trust: 0.8

vendor:parallelsmodel:remote application serverscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-018249 // NVD: CVE-2020-35710

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-35710
value: MEDIUM

Trust: 1.8

CNNVD: CNNVD-202012-1567
value: MEDIUM

Trust: 0.6

NVD:
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2020-35710
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

NVD:
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2020-35710
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2020-018249 // CNNVD: CNNVD-202012-1567 // NVD: CVE-2020-35710

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.0

problemtype:information leak (CWE-200) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-018249 // NVD: CVE-2020-35710

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202012-1567

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202012-1567

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2020-35710

EXTERNAL IDS
db:NVDid:CVE-2020-35710
Trust: 3.2
db:JVNDBid:JVNDB-2020-018249
Trust: 0.8
db:CNNVDid:CNNVD-202012-1567
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-018249 // 
            
            
            
            CNNVD: CNNVD-202012-1567 // 
            
            
            
            NVD: CVE-2020-35710

REFERENCES
url:https://twitter.com/amadapa/status/1342407005110218753
Trust: 2.4
url:https://www.elladodelmal.com/2020/12/blue-team-red-team-como-parallels-ras.html
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2020-35710
Trust: 1.4
sources:
            
            
            JVNDB: JVNDB-2020-018249 // 
            
            
            
            CNNVD: CNNVD-202012-1567 // 
            
            
            
            NVD: CVE-2020-35710

SOURCES
db:JVNDBid:JVNDB-2020-018249
db:CNNVDid:CNNVD-202012-1567
db:NVDid:CVE-2020-35710

LAST UPDATE DATE
2024-07-19T23:15:52.213000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2020-018249date:2024-07-18T01:51:00
db:CNNVDid:CNNVD-202012-1567date:2021-01-05T00:00:00
db:NVDid:CVE-2020-35710date:2020-12-30T16:00:20.750

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2020-018249date:2024-07-18T00:00:00
db:CNNVDid:CNNVD-202012-1567date:2020-12-25T00:00:00
db:NVDid:CVE-2020-35710date:2020-12-25T19:15:13.177