cvelistv5 - CVE-2020-7009

CVE-2020-7009 (GCVE-0-2020-7009)

Vulnerability from cvelistv5 – Published: 2020-03-31 19:05 – Updated: 2024-08-04 09:18

Summary

Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.

Severity ?

No CVSS data available.

CWE

CWE-266 - Incorrect Privilege Assignment

Assigner

elastic

References

URL

	Vendor	Product	Version
	Elastic	Elasticsearch	Affected: All versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2

GHSA-GFV5-GRX2-9JW2

Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2022-06-23 18:02

Summary

Improper Privilege Management in Elasticsearch

Details

Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.8.7"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.elasticsearch:elasticsearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.8.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.6.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.elasticsearch:elasticsearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-23T18:02:18Z",
    "nvd_published_at": "2020-03-31T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.",
  "id": "GHSA-gfv5-grx2-9jw2",
  "modified": "2022-06-23T18:02:18Z",
  "published": "2022-05-24T17:13:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7009"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/elastic/elasticsearch"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200403-0004"
    },
    {
      "type": "WEB",
      "url": "https://www.elastic.co/community/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Privilege Management in Elasticsearch"
}

MSRC_CVE-2020-7009

Vulnerability from csaf_microsoft - Published: 2020-03-02 00:00 - Updated: 2021-12-01 00:00

Summary

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2020-7009 Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges. - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2020/msrc_cve-2020-7009.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.",
    "tracking": {
      "current_release_date": "2021-12-01T00:00:00.000Z",
      "generator": {
        "date": "2025-10-19T17:51:49.890Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2020-7009",
      "initial_release_date": "2020-03-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2021-12-01T00:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.0",
                "product": {
                  "name": "CBL Mariner 1.0",
                  "product_id": "16820"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccm1 rubygem-elasticsearch 8.2.0-1",
                "product": {
                  "name": "\u003ccm1 rubygem-elasticsearch 8.2.0-1",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "cm1 rubygem-elasticsearch 8.2.0-1",
                "product": {
                  "name": "cm1 rubygem-elasticsearch 8.2.0-1",
                  "product_id": "18957"
                }
              }
            ],
            "category": "product_name",
            "name": "rubygem-elasticsearch"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccm1 rubygem-elasticsearch 8.2.0-1 as a component of CBL Mariner 1.0",
          "product_id": "16820-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cm1 rubygem-elasticsearch 8.2.0-1 as a component of CBL Mariner 1.0",
          "product_id": "18957-16820"
        },
        "product_reference": "18957",
        "relates_to_product_reference": "16820"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-7009",
      "cwe": {
        "id": "CWE-269",
        "name": "Improper Privilege Management"
      },
      "notes": [
        {
          "category": "general",
          "text": "elastic",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "18957-16820"
        ],
        "known_affected": [
          "16820-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-7009 Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges. - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2020/msrc_cve-2020-7009.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2021-12-01T00:00:00.000Z",
          "details": "8.2.0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "16820-1"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "16820-1"
          ]
        }
      ],
      "title": "Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges."
    }
  ]
}

FKIE_CVE-2020-7009

Vulnerability from fkie_nvd - Published: 2020-03-31 19:15 - Updated: 2024-11-21 05:36

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@elastic.co	https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920	Mitigation, Release Notes, Vendor Advisory
security@elastic.co	https://security.netapp.com/advisory/ntap-20200403-0004/	Third Party Advisory
security@elastic.co	https://www.elastic.co/community/security/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920	Mitigation, Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20200403-0004/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.elastic.co/community/security/	Vendor Advisory

Impacted products

	Vendor	Product	Version
	elastic	elasticsearch	*
	elastic	elasticsearch	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1505B55-8739-46A0-874D-8A13FE402975",
              "versionEndExcluding": "6.8.8",
              "versionStartIncluding": "6.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "226FB38D-4A53-4B74-AD24-24940DB7B40D",
              "versionEndExcluding": "7.6.2",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges."
    },
    {
      "lang": "es",
      "value": "Elasticsearch versiones desde 6.7.0 en versiones anteriores a la 6.8.8 y versiones 7.0.0 en versiones anteriores a la 7.6.2 contienen  un fallo de escalada de privilegios si un atacante es capaz de crear claves de la API. Un atacante que es capaz de generar una clave API puede llevar a cabo una serie de pasos que dan como resultado que se genere una clave API con privilegios elevados."
    }
  ],
  "id": "CVE-2020-7009",
  "lastModified": "2024-11-21T05:36:29.090",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-03-31T19:15:14.447",
  "references": [
    {
      "source": "security@elastic.co",
      "tags": [
        "Mitigation",
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920"
    },
    {
      "source": "security@elastic.co",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20200403-0004/"
    },
    {
      "source": "security@elastic.co",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.elastic.co/community/security/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20200403-0004/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.elastic.co/community/security/"
    }
  ],
  "sourceIdentifier": "security@elastic.co",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-266"
        }
      ],
      "source": "security@elastic.co",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-269"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

WID-SEC-W-2023-1022

Vulnerability from csaf_certbund - Published: 2023-04-18 22:00 - Updated: 2023-04-18 22:00

Summary

Oracle Communications Applications: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.

Betroffene Betriebssysteme

- UNIX - Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-1022 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1022.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-1022 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1022"
      },
      {
        "category": "external",
        "summary": "Oracle Critical Patch Update Advisory - April 2023 - Appendix Oracle Communications Applications vom 2023-04-18",
        "url": "https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixCAGBU"
      }
    ],
    "source_lang": "en-US",
    "title": "Oracle Communications Applications: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-04-18T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:49:25.156+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-1022",
      "initial_release_date": "2023-04-18T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-04-18T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Oracle Communications Applications 7.4.0",
                "product": {
                  "name": "Oracle Communications Applications 7.4.0",
                  "product_id": "T018938",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:7.4.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle Communications Applications 7.4.1",
                "product": {
                  "name": "Oracle Communications Applications 7.4.1",
                  "product_id": "T018939",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:7.4.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle Communications Applications 7.4.2",
                "product": {
                  "name": "Oracle Communications Applications 7.4.2",
                  "product_id": "T018940",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:7.4.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle Communications Applications 6.0.1.0.0",
                "product": {
                  "name": "Oracle Communications Applications 6.0.1.0.0",
                  "product_id": "T021634",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:6.0.1.0.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle Communications Applications 7.5.0",
                "product": {
                  "name": "Oracle Communications Applications 7.5.0",
                  "product_id": "T021639",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:7.5.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle Communications Applications \u003c= 5.5.9",
                "product": {
                  "name": "Oracle Communications Applications \u003c= 5.5.9",
                  "product_id": "T025857",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:5.5.9"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle Communications Applications \u003c= 6.0.1",
                "product": {
                  "name": "Oracle Communications Applications \u003c= 6.0.1",
                  "product_id": "T025858",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:6.0.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle Communications Applications \u003c= 5.5.10",
                "product": {
                  "name": "Oracle Communications Applications \u003c= 5.5.10",
                  "product_id": "T027322",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:5.5.10"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle Communications Applications \u003c= 6.0.2",
                "product": {
                  "name": "Oracle Communications Applications \u003c= 6.0.2",
                  "product_id": "T027323",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:6.0.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle Communications Applications \u003c= 12.0.6",
                "product": {
                  "name": "Oracle Communications Applications \u003c= 12.0.6",
                  "product_id": "T027324",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:12.0.6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Oracle Communications Applications \u003c= 12.0.6.0.0",
                "product": {
                  "name": "Oracle Communications Applications \u003c= 12.0.6.0.0",
                  "product_id": "T027325",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:oracle:communications_applications:12.0.6.0.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Communications Applications"
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-1370",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2023-1370"
    },
    {
      "cve": "CVE-2023-0662",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2023-0662"
    },
    {
      "cve": "CVE-2022-46908",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-46908"
    },
    {
      "cve": "CVE-2022-42004",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-42004"
    },
    {
      "cve": "CVE-2022-41966",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-41966"
    },
    {
      "cve": "CVE-2022-39271",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-39271"
    },
    {
      "cve": "CVE-2022-36760",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-36760"
    },
    {
      "cve": "CVE-2022-3171",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-3171"
    },
    {
      "cve": "CVE-2022-31123",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-31123"
    },
    {
      "cve": "CVE-2022-31081",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-31081"
    },
    {
      "cve": "CVE-2022-1471",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2022-1471"
    },
    {
      "cve": "CVE-2021-41183",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2021-41183"
    },
    {
      "cve": "CVE-2020-7009",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2020-7009"
    },
    {
      "cve": "CVE-2020-35168",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2020-35168"
    },
    {
      "cve": "CVE-2019-11287",
      "notes": [
        {
          "category": "description",
          "text": "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
        }
      ],
      "product_status": {
        "known_affected": [
          "T018940",
          "T021634",
          "T021639",
          "T018938",
          "T018939"
        ],
        "last_affected": [
          "T025858",
          "T025857",
          "T027324",
          "T027325",
          "T027322",
          "T027323"
        ]
      },
      "release_date": "2023-04-18T22:00:00.000+00:00",
      "title": "CVE-2019-11287"
    }
  ]
}

CNVD-2020-23418

Vulnerability from cnvd - Published: 2020-04-17

Title

Elasticsearch权限提升漏洞

Description

Elasticsearch是荷兰Elasticsearch公司的一套基于Lucene构建的开源分布式RESTful搜索引擎。该产品主要应用于云计算，并支持通过HTTP使用JSON进行数据索引。 Elasticsearch 6.7.0版本至6.8.7版本和7.0.0版本至7.6.1版本中存在提权漏洞。目前没有详细的漏洞细节提供。

Severity

高

Patch Name

Elasticsearch权限提升漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.elastic.co/cn/community/security/

Impacted products

Name
['ElasticSearch ElasticSearch >=6.7.0，<=6.8.7', 'ElasticSearch ElasticSearch >=7.0.0，<=7.6.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-7009"
    }
  },
  "description": "Elasticsearch\u662f\u8377\u5170Elasticsearch\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eLucene\u6784\u5efa\u7684\u5f00\u6e90\u5206\u5e03\u5f0fRESTful\u641c\u7d22\u5f15\u64ce\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u5e94\u7528\u4e8e\u4e91\u8ba1\u7b97\uff0c\u5e76\u652f\u6301\u901a\u8fc7HTTP\u4f7f\u7528JSON\u8fdb\u884c\u6570\u636e\u7d22\u5f15\u3002\n\nElasticsearch 6.7.0\u7248\u672c\u81f36.8.7\u7248\u672c\u548c7.0.0\u7248\u672c\u81f37.6.1\u7248\u672c\u4e2d\u5b58\u5728\u63d0\u6743\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.elastic.co/cn/community/security/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-23418",
  "openTime": "2020-04-17",
  "patchDescription": "Elasticsearch\u662f\u8377\u5170Elasticsearch\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eLucene\u6784\u5efa\u7684\u5f00\u6e90\u5206\u5e03\u5f0fRESTful\u641c\u7d22\u5f15\u64ce\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u5e94\u7528\u4e8e\u4e91\u8ba1\u7b97\uff0c\u5e76\u652f\u6301\u901a\u8fc7HTTP\u4f7f\u7528JSON\u8fdb\u884c\u6570\u636e\u7d22\u5f15\u3002\r\n\r\nElasticsearch 6.7.0\u7248\u672c\u81f36.8.7\u7248\u672c\u548c7.0.0\u7248\u672c\u81f37.6.1\u7248\u672c\u4e2d\u5b58\u5728\u63d0\u6743\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Elasticsearch\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "ElasticSearch ElasticSearch \u003e=6.7.0\uff0c\u003c=6.8.7",
      "ElasticSearch ElasticSearch \u003e=7.0.0\uff0c\u003c=7.6.1"
    ]
  },
  "serverity": "\u9ad8",
  "submitTime": "2020-04-01",
  "title": "Elasticsearch\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

GSD-2020-7009

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-7009

Aliases

CVE-2020-7009

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-7009",
    "description": "Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.",
    "id": "GSD-2020-7009",
    "references": [
      "https://www.suse.com/security/cve/CVE-2020-7009.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-7009"
      ],
      "details": "Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.",
      "id": "GSD-2020-7009",
      "modified": "2023-12-13T01:21:51.398098Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@elastic.co",
        "ID": "CVE-2020-7009",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Elasticsearch",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "All versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Elastic"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-266: Incorrect Privilege Assignment"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.elastic.co/community/security/",
            "refsource": "MISC",
            "url": "https://www.elastic.co/community/security/"
          },
          {
            "name": "https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920",
            "refsource": "MISC",
            "url": "https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20200403-0004/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20200403-0004/"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[6.7.0,6.8.7],[7.0.0,7.6.1]",
          "affected_versions": "All versions starting from 6.7.0 up to 6.8.7, all versions starting from 7.0.0 up to 7.6.1",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-269",
            "CWE-937"
          ],
          "date": "2022-06-23",
          "description": "Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.",
          "fixed_versions": [
            "6.8.8",
            "7.6.2"
          ],
          "identifier": "CVE-2020-7009",
          "identifiers": [
            "GHSA-gfv5-grx2-9jw2",
            "CVE-2020-7009"
          ],
          "not_impacted": "All versions before 6.7.0, all versions after 6.8.7 before 7.0.0, all versions after 7.6.1",
          "package_slug": "maven/org.elasticsearch/elasticsearch",
          "pubdate": "2022-05-24",
          "solution": "Upgrade to versions 6.8.8, 7.6.2 or above.",
          "title": "Improper Privilege Management",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-7009",
            "https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920",
            "https://security.netapp.com/advisory/ntap-20200403-0004/",
            "https://www.elastic.co/community/security/",
            "https://github.com/advisories/GHSA-gfv5-grx2-9jw2"
          ],
          "uuid": "28d86e60-7502-46da-8440-0221b8873b9e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.8.8",
                "versionStartIncluding": "6.7.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.6.2",
                "versionStartIncluding": "7.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@elastic.co",
          "ID": "CVE-2020-7009"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-269"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "N/A",
              "refsource": "N/A",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.elastic.co/community/security/"
            },
            {
              "name": "N/A",
              "refsource": "N/A",
              "tags": [
                "Mitigation",
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200403-0004/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20200403-0004/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-04-09T14:58Z",
      "publishedDate": "2020-03-31T19:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-7009 (GCVE-0-2020-7009)

GHSA-GFV5-GRX2-9JW2

MSRC_CVE-2020-7009

FKIE_CVE-2020-7009

WID-SEC-W-2023-1022

CNVD-2020-23418

GSD-2020-7009

Tags

Sightings

Nomenclature