cnvd - cnvd-2020-46865

CNVD-2020-46865

Vulnerability from cnvd - Published: 2020-08-19

Title

Parallels Remote Application Server (RAS)远程代码执行漏洞

Description

Parallels Remote Application Server (RAS) 是一项全面的虚拟应用程序和桌面交付解决方案,以供您的员工从任何设备访问并使用应用程序和数据。 Parallels Remote Application Server (RAS) 17.1.1存在远程代码执行漏洞。该漏洞源于存在业务逻辑错误。认证用户可通过Web应用程序利用该漏洞在后端操作系统中执行任何应用程序。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.parallels.com/products/ras/remote-application-server/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-15860

Impacted products

Name
Parallels Remote Application Server (RAS) 17.1.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-15860",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-15860"
    }
  },
  "description": "Parallels Remote Application Server (RAS) \u662f\u4e00\u9879\u5168\u9762\u7684\u865a\u62df\u5e94\u7528\u7a0b\u5e8f\u548c\u684c\u9762\u4ea4\u4ed8\u89e3\u51b3\u65b9\u6848,\u4ee5\u4f9b\u60a8\u7684\u5458\u5de5\u4ece\u4efb\u4f55\u8bbe\u5907\u8bbf\u95ee\u5e76\u4f7f\u7528\u5e94\u7528\u7a0b\u5e8f\u548c\u6570\u636e\u3002\n\nParallels Remote Application Server (RAS) 17.1.1\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5b58\u5728\u4e1a\u52a1\u903b\u8f91\u9519\u8bef\u3002\u8ba4\u8bc1\u7528\u6237\u53ef\u901a\u8fc7Web\u5e94\u7528\u7a0b\u5e8f\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u540e\u7aef\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u6267\u884c\u4efb\u4f55\u5e94\u7528\u7a0b\u5e8f\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.parallels.com/products/ras/remote-application-server/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-46865",
  "openTime": "2020-08-19",
  "products": {
    "product": "Parallels Remote Application Server (RAS) 17.1.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-15860",
  "serverity": "\u4e2d",
  "submitTime": "2020-07-27",
  "title": "Parallels Remote Application Server (RAS)\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

CVE-2020-15860 (GCVE-0-2020-15860)

Vulnerability from cvelistv5 – Published: 2020-07-24 16:01 – Updated: 2024-08-04 13:30

Summary

Parallels Remote Application Server (RAS) 17.1.1 has a Business Logic Error causing remote code execution. It allows an authenticated user to execute any application in the backend operating system through the web application, despite the affected application not being published. In addition, it was discovered that it is possible to access any host in the internal domain, even if it has no published applications or the mentioned host is no longer associated with that server farm.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.parallels.com/products/ras/remote-app…	x_refsource_MISC
	https://www.coresecurity.com/core-labs/advisories…	x_refsource_MISC
	https://kb.parallels.com/en/125112	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:30:22.762Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.parallels.com/products/ras/remote-application-server/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.coresecurity.com/core-labs/advisories/parallels-ras-os-command-execution"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kb.parallels.com/en/125112"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Parallels Remote Application Server (RAS) 17.1.1 has a Business Logic Error causing remote code execution. It allows an authenticated user to execute any application in the backend operating system through the web application, despite the affected application not being published. In addition, it was discovered that it is possible to access any host in the internal domain, even if it has no published applications or the mentioned host is no longer associated with that server farm."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-09-16T17:22:51",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.parallels.com/products/ras/remote-application-server/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.coresecurity.com/core-labs/advisories/parallels-ras-os-command-execution"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kb.parallels.com/en/125112"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-15860",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Parallels Remote Application Server (RAS) 17.1.1 has a Business Logic Error causing remote code execution. It allows an authenticated user to execute any application in the backend operating system through the web application, despite the affected application not being published. In addition, it was discovered that it is possible to access any host in the internal domain, even if it has no published applications or the mentioned host is no longer associated with that server farm."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.parallels.com/products/ras/remote-application-server/",
              "refsource": "MISC",
              "url": "https://www.parallels.com/products/ras/remote-application-server/"
            },
            {
              "name": "https://www.coresecurity.com/core-labs/advisories/parallels-ras-os-command-execution",
              "refsource": "MISC",
              "url": "https://www.coresecurity.com/core-labs/advisories/parallels-ras-os-command-execution"
            },
            {
              "name": "https://kb.parallels.com/en/125112",
              "refsource": "CONFIRM",
              "url": "https://kb.parallels.com/en/125112"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-15860",
    "datePublished": "2020-07-24T16:01:41",
    "dateReserved": "2020-07-20T00:00:00",
    "dateUpdated": "2024-08-04T13:30:22.762Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-46865

CVE-2020-15860 (GCVE-0-2020-15860)

Tags

Sightings

Nomenclature