FKIE_CVE-2020-6164

Vulnerability from fkie_nvd - Published: 2020-07-15 21:15 - Updated: 2024-11-21 05:35
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page).
References
cve@mitre.orghttps://www.silverstripe.org/download/security-releases/CVE-2020-6164Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.silverstripe.org/download/security-releases/CVE-2020-6164Vendor Advisory
Impacted products
Vendor Product Version
silverstripe silverstripe *
silverstripe silverstripe *
silverstripe silverstripe *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD4EAB7B-E315-42D6-AEBE-C4707D12F6E7",
              "versionEndIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA2589F5-9B99-4DE2-96F0-F59D7F58987D",
              "versionEndExcluding": "4.4.7",
              "versionStartIncluding": "4.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:silverstripe:silverstripe:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C4AD7A3-B9F1-463E-95D8-B47AF68463FE",
              "versionEndExcluding": "4.5.4",
              "versionStartIncluding": "4.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side-effect, this preconfigured path also blocks the creation of other resources on this path (e.g. a page)."
    },
    {
      "lang": "es",
      "value": "En SilverStripe versiones hasta 4.5.0, una ruta URL espec\u00edfica configurada por defecto por medio del m\u00f3dulo silverstripe/framework puede ser usada para revelar el hecho de que un dominio aloja una aplicaci\u00f3n Silverstripe. No se presenta divulgaci\u00f3n de la versi\u00f3n espec\u00edfica. La funcionalidad en esta ruta URL est\u00e1 limitada a una ejecuci\u00f3n en un contexto de CLI, y no se sabe que presente una vulnerabilidad por medio del acceso basado en la web. Como efecto secundario, esta ruta preconfigurada tambi\u00e9n bloquea la creaci\u00f3n de otros recursos en esta ruta (por ejemplo, una p\u00e1gina)"
    }
  ],
  "id": "CVE-2020-6164",
  "lastModified": "2024-11-21T05:35:13.457",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-15T21:15:13.490",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.silverstripe.org/download/security-releases/CVE-2020-6164"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.silverstripe.org/download/security-releases/CVE-2020-6164"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.