CVE-2020-15145 (GCVE-0-2020-15145)
Vulnerability from cvelistv5 – Published: 2020-08-14 16:35 – Updated: 2024-08-04 13:08
VLAI?
Summary
In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\ProgramData\ComposerSetup\bin\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\ProgramData\ComposerSetup\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability.
Severity ?
6.7 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| composer | windows-setup |
Affected:
< 6.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.821Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "windows-setup",
"vendor": "composer",
"versions": [
{
"status": "affected",
"version": "\u003c 6.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Composer-Setup for Windows before version 6.0.0, if the developer\u0027s computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\\ProgramData\\ComposerSetup\\bin\\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\\ProgramData\\ComposerSetup\\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-14T16:35:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804"
}
],
"source": {
"advisory": "GHSA-wgrx-r3qv-332c",
"discovery": "UNKNOWN"
},
"title": "Local privilege elevation in Composer-Setup for Windows",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15145",
"STATE": "PUBLIC",
"TITLE": "Local privilege elevation in Composer-Setup for Windows"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "windows-setup",
"version": {
"version_data": [
{
"version_value": "\u003c 6.0.0"
}
]
}
}
]
},
"vendor_name": "composer"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Composer-Setup for Windows before version 6.0.0, if the developer\u0027s computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\\ProgramData\\ComposerSetup\\bin\\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\\ProgramData\\ComposerSetup\\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276: Incorrect Default Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c",
"refsource": "CONFIRM",
"url": "https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c"
},
{
"name": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804",
"refsource": "MISC",
"url": "https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804"
}
]
},
"source": {
"advisory": "GHSA-wgrx-r3qv-332c",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15145",
"datePublished": "2020-08-14T16:35:13",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:21.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:getcomposer:composer-setup:*:*:*:*:*:windows:*:*\", \"versionEndExcluding\": \"6.0.0\", \"matchCriteriaId\": \"96AF5B75-DD24-474E-A464-D9CA5BA790C3\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"In Composer-Setup for Windows before version 6.0.0, if the developer\u0027s computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\\\\ProgramData\\\\ComposerSetup\\\\bin\\\\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\\\\ProgramData\\\\ComposerSetup\\\\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability.\"}, {\"lang\": \"es\", \"value\": \"En Composer-Setup para Windows versiones anteriores a 6.0.0, si la computadora del desarrollador es compartida con otros usuarios, un atacante local puede ser capaz de explotar los siguientes escenarios. 1. Un usuario habitual local puede modificar el archivo \\\"C:\\\\ProgramData\\\\ComposerSetup\\\\bin\\\\composer.bat\\\" existente para conseguir una ejecuci\\u00f3n de comandos elevados cuando composer es ejecutado por un administrador. 2. Un usuario habitual local puede crear una dll especialmente dise\\u00f1ada en la carpeta \\\"C:\\\\ProgramData\\\\ComposerSetup\\\\bin\\\" para alcanzar privilegios del Sistema Local. Consulte: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. Si el directorio de php.exe seleccionado por el usuario no est\\u00e1 en la ruta del sistema, es agregado sin comprobar que est\\u00e9 protegido por el administrador, seg\\u00fan las mejores practicas de Microsoft. Consulte: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability.\"}]",
"id": "CVE-2020-15145",
"lastModified": "2024-11-21T05:04:56.313",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N\", \"baseScore\": 6.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.5, \"impactScore\": 4.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.5, \"impactScore\": 6.0}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 4.4, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.4, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2020-08-14T17:15:14.377",
"references": "[{\"url\": \"https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-276\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-15145\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-08-14T17:15:14.377\",\"lastModified\":\"2024-11-21T05:04:56.313\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Composer-Setup for Windows before version 6.0.0, if the developer\u0027s computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\\\\ProgramData\\\\ComposerSetup\\\\bin\\\\composer.bat` in order to get elevated command execution when composer is run by an administrator. 2. A local regular user may create a specially crafted dll in the `C:\\\\ProgramData\\\\ComposerSetup\\\\bin` folder in order to get Local System privileges. See: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. If the directory of the php.exe selected by the user is not in the system path, it is added without checking that it is admin secured, as per Microsoft guidelines. See: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability.\"},{\"lang\":\"es\",\"value\":\"En Composer-Setup para Windows versiones anteriores a 6.0.0, si la computadora del desarrollador es compartida con otros usuarios, un atacante local puede ser capaz de explotar los siguientes escenarios. 1. Un usuario habitual local puede modificar el archivo \\\"C:\\\\ProgramData\\\\ComposerSetup\\\\bin\\\\composer.bat\\\" existente para conseguir una ejecuci\u00f3n de comandos elevados cuando composer es ejecutado por un administrador. 2. Un usuario habitual local puede crear una dll especialmente dise\u00f1ada en la carpeta \\\"C:\\\\ProgramData\\\\ComposerSetup\\\\bin\\\" para alcanzar privilegios del Sistema Local. Consulte: https://itm4n.github.io/windows-server-netman-dll-hijacking. 3. Si el directorio de php.exe seleccionado por el usuario no est\u00e1 en la ruta del sistema, es agregado sin comprobar que est\u00e9 protegido por el administrador, seg\u00fan las mejores practicas de Microsoft. Consulte: https://msrc-blog.microsoft.com/2018/04/04/triaging-a-dll-planting-vulnerability.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.5,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.5,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":4.4,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getcomposer:composer-setup:*:*:*:*:*:windows:*:*\",\"versionEndExcluding\":\"6.0.0\",\"matchCriteriaId\":\"96AF5B75-DD24-474E-A464-D9CA5BA790C3\"}]}]}],\"references\":[{\"url\":\"https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/composer/windows-setup/commit/ca9f1435d368e3377e82d60ef0c7b795afa9f804\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/composer/windows-setup/security/advisories/GHSA-wgrx-r3qv-332c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…