cve-2020-14490
Vulnerability from cvelistv5
Published
2020-07-29 12:25
Modified
2024-09-16 17:03
Severity ?
EPSS score ?
Summary
OpenClinic GA
References
▼ | URL | Tags | |
---|---|---|---|
ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01 | Third Party Advisory, US Government Resource |
Impacted products
▼ | Vendor | Product |
---|---|---|
open source | OpenClinic GA |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T12:46:34.698Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "OpenClinic GA", "vendor": "open source", "versions": [ { "status": "affected", "version": "5.09.02" }, { "status": "affected", "version": "5.89.05b" } ] } ], "credits": [ { "lang": "en", "value": "Brian D. Hysell reported these vulnerabilities to CISA." } ], "datePublic": "2020-07-02T00:00:00", "descriptions": [ { "lang": "en", "value": "OpenClinic GA 5.09.02 and 5.89.05b includes arbitrary local files specified within its parameter and executes some files, which may allow disclosure of sensitive files or the execution of malicious uploaded files." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (\u0027PATH TRAVERSAL\u0027) CWE-22", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-29T12:25:53", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01" } ], "source": { "advisory": "ICSMA-20-184-01 OpenClinic GA", "discovery": "EXTERNAL" }, "title": "OpenClinic GA", "workarounds": [ { "lang": "en", "value": "OpenClinic GA is aware of these vulnerabilities but has not provided any confirmation of their resolution. Please upgrade to the latest version to ensure you have all current fixes." } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2020-07-02T00:00:00.000Z", "ID": "CVE-2020-14490", "STATE": "PUBLIC", "TITLE": "OpenClinic GA" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "OpenClinic GA", "version": { "version_data": [ { "version_affected": "=", "version_value": "5.09.02" }, { "version_affected": "=", "version_value": "5.89.05b" } ] } } ] }, "vendor_name": "open source" } ] } }, "credit": [ { "lang": "eng", "value": "Brian D. Hysell reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "OpenClinic GA 5.09.02 and 5.89.05b includes arbitrary local files specified within its parameter and executes some files, which may allow disclosure of sensitive files or the execution of malicious uploaded files." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (\u0027PATH TRAVERSAL\u0027) CWE-22" } ] } ] }, "references": { "reference_data": [ { "name": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01" } ] }, "source": { "advisory": "ICSMA-20-184-01 OpenClinic GA", "discovery": "EXTERNAL" }, "work_around": [ { "lang": "en", "value": "OpenClinic GA is aware of these vulnerabilities but has not provided any confirmation of their resolution. Please upgrade to the latest version to ensure you have all current fixes." } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-14490", "datePublished": "2020-07-29T12:25:53.168931Z", "dateReserved": "2020-06-19T00:00:00", "dateUpdated": "2024-09-16T17:03:10.971Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2020-14490\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2020-07-29T13:15:10.087\",\"lastModified\":\"2020-07-30T16:11:35.780\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenClinic GA 5.09.02 and 5.89.05b includes arbitrary local files specified within its parameter and executes some files, which may allow disclosure of sensitive files or the execution of malicious uploaded files.\"},{\"lang\":\"es\",\"value\":\"OpenClinic GA versiones 5.09.02 y 5.89.05b, incluye archivos locales arbitrarios especificados dentro de su par\u00e1metro y ejecuta algunos archivos, lo que puede permitir una divulgaci\u00f3n de archivos confidenciales o una ejecuci\u00f3n de archivos maliciosos cargados\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":6.5},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openclinic_ga_project:openclinic_ga:5.09.02:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A64E5CCD-1F0D-46B2-9AE7-C917928D2788\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openclinic_ga_project:openclinic_ga:5.89.05b:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BE2E5CDB-B864-45E4-A7EA-D7EE93BC2453\"}]}]}],\"references\":[{\"url\":\"https://us-cert.cisa.gov/ics/advisories/ICSMA-20-184-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}" } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.