CNVD-2021-20265
Vulnerability from cnvd - Published: 2021-03-18
VLAI
Title
WSO2 Identity Server和IS as Key Manager输入验证错误漏洞
Description
WSO2 Identity Server(IS)和WSO2 IS as Key Manager都是美国WSO2公司的产品。WSO2 Identity Server是一款身份认证服务器。WSO2 IS as Key Manager是一款密钥管理器。
WSO2 Identity Server 5.10.0及之前版本和WSO2 IS as Key Manager 5.10.0及之前版本中存在安全漏洞。攻击者可通过构建URL利用该漏洞将用户重定向到任意的外部链接,实施钓鱼攻击。
Severity
中
Patch Name
WSO2 Identity Server和IS as Key Manager输入验证错误漏洞的补丁
Patch Description
WSO2 Identity Server(IS)和WSO2 IS as Key Manager都是美国WSO2公司的产品。WSO2 Identity Server是一款身份认证服务器。WSO2 IS as Key Manager是一款密钥管理器。
WSO2 Identity Server 5.10.0及之前版本和WSO2 IS as Key Manager 5.10.0及之前版本中存在安全漏洞。攻击者可通过构建URL利用该漏洞将用户重定向到任意的外部链接,实施钓鱼攻击。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0713
Impacted products
| Name | ['WSO2 Identity Server <=5.10.0', 'WSO2 IS as Key Manager <=5.10.0'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2020-14446"
}
},
"description": "WSO2 Identity Server\uff08IS\uff09\u548cWSO2 IS as Key Manager\u90fd\u662f\u7f8e\u56fdWSO2\u516c\u53f8\u7684\u4ea7\u54c1\u3002WSO2 Identity Server\u662f\u4e00\u6b3e\u8eab\u4efd\u8ba4\u8bc1\u670d\u52a1\u5668\u3002WSO2 IS as Key Manager\u662f\u4e00\u6b3e\u5bc6\u94a5\u7ba1\u7406\u5668\u3002\n\nWSO2 Identity Server 5.10.0\u53ca\u4e4b\u524d\u7248\u672c\u548cWSO2 IS as Key Manager 5.10.0\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u6784\u5efaURL\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u7528\u6237\u91cd\u5b9a\u5411\u5230\u4efb\u610f\u7684\u5916\u90e8\u94fe\u63a5\uff0c\u5b9e\u65bd\u9493\u9c7c\u653b\u51fb\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0713",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2021-20265",
"openTime": "2021-03-18",
"patchDescription": "WSO2 Identity Server\uff08IS\uff09\u548cWSO2 IS as Key Manager\u90fd\u662f\u7f8e\u56fdWSO2\u516c\u53f8\u7684\u4ea7\u54c1\u3002WSO2 Identity Server\u662f\u4e00\u6b3e\u8eab\u4efd\u8ba4\u8bc1\u670d\u52a1\u5668\u3002WSO2 IS as Key Manager\u662f\u4e00\u6b3e\u5bc6\u94a5\u7ba1\u7406\u5668\u3002\r\n\r\nWSO2 Identity Server 5.10.0\u53ca\u4e4b\u524d\u7248\u672c\u548cWSO2 IS as Key Manager 5.10.0\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u6784\u5efaURL\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u7528\u6237\u91cd\u5b9a\u5411\u5230\u4efb\u610f\u7684\u5916\u90e8\u94fe\u63a5\uff0c\u5b9e\u65bd\u9493\u9c7c\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "WSO2 Identity Server\u548cIS as Key Manager\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"WSO2 Identity Server \u003c=5.10.0",
"WSO2 IS as Key Manager \u003c=5.10.0"
]
},
"serverity": "\u4e2d",
"submitTime": "2020-06-19",
"title": "WSO2 Identity Server\u548cIS as Key Manager\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…