Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-8233 (GCVE-0-2020-8233)
Vulnerability from cvelistv5 – Published: 2020-08-17 15:41 – Updated: 2024-08-04 09:56
VLAI
EPSS
Summary
A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.
Severity
8.8 (High)
CWE
- CWE-77 - Command Injection - Generic (CWE-77)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://community.ui.com/releases/Security-adviso… | x_refsource_MISC |
| https://community.ui.com/releases/EdgeMAX-EdgeSwi… | x_refsource_MISC |
| https://www.ui.com/download/edgemax | x_refsource_MISC |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | EdgeSwitch firmware v1.9.0 and prior |
Affected:
Fixed version EdgeSwitch firmware v1.9.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.ui.com/download/edgemax"
},
{
"name": "openSUSE-SU-2020:1652",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "EdgeSwitch firmware v1.9.0 and prior",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed version EdgeSwitch firmware v1.9.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerability exists in EdgeSwitch firmware \u003cv1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection - Generic (CWE-77)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-10T23:06:22.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.ui.com/download/edgemax"
},
{
"name": "openSUSE-SU-2020:1652",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8233",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EdgeSwitch firmware v1.9.0 and prior",
"version": {
"version_data": [
{
"version_value": "Fixed version EdgeSwitch firmware v1.9.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A command injection vulnerability exists in EdgeSwitch firmware \u003cv1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Command Injection - Generic (CWE-77)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821",
"refsource": "MISC",
"url": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821"
},
{
"name": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c",
"refsource": "MISC",
"url": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c"
},
{
"name": "https://www.ui.com/download/edgemax",
"refsource": "MISC",
"url": "https://www.ui.com/download/edgemax"
},
{
"name": "openSUSE-SU-2020:1652",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8233",
"datePublished": "2020-08-17T15:41:19.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-8233",
"date": "2026-06-24",
"epss": "0.04419",
"percentile": "0.90104"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-8233\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2020-08-17T16:15:13.857\",\"lastModified\":\"2024-11-21T05:38:33.437\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A command injection vulnerability exists in EdgeSwitch firmware \u003cv1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.\"},{\"lang\":\"es\",\"value\":\"Se presenta una vulnerabilidad de inyecci\u00f3n de comandos en el firmware de EdgeSwitch versiones anteriores a v1.9.0, que permit\u00eda a un usuario autenticado de solo lectura ejecutar comandos de shell arbitrarios por medio de la interfaz HTTP, permiti\u00e9ndoles escalar privilegios.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:C/A:C\",\"baseScore\":9.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ui:edgeswitch_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.9.0\",\"matchCriteriaId\":\"99D34145-C467-493B-8055-6CB58FE29C37\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ui:ep-16-xg:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AED6B48F-78E6-4BE2-A89C-36887E3CE63B\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ui:ep-s16:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C52B2CB9-844B-4720-BEC9-A73C9994C7AC\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ui:es-12f:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"35E11BF8-2295-4DC3-B463-DC305B2ED456\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ui:es-16-150w:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AD4B5024-6E26-4011-9392-26E304C0B00C\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ui:es-24-250w:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EBA2938D-8AF2-47D5-B881-AD27A999989D\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ui:es-24-500w:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2CDFD81A-C3D6-4B54-97C6-718FEB23C57C\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ui:es-24-lite:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0085DBEE-368A-400D-A2E7-AC090CCD6324\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ui:es-48-500w:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D7AC5ECE-A2E4-4AD8-B65D-4B5CFFF0A044\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ui:es-48-750w:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"287F2ABB-2855-4938-A5F3-857744ABC4E6\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ui:es-48-lite:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0C8A7623-0F2F-49F3-81F4-515E29A907EF\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ui:es-8-150w:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CD0CDC1D-D5F7-437D-9544-95E8DBFBF1F7\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"40513095-7E6E-46B3-B604-C926F1BA3568\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*\",\"matchCriteriaId\":\"67E82302-4B77-44F3-97B1-24C18AC4A35D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B620311B-34A3-48A6-82DF-6F078D7A4493\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B009C22E-30A4-4288-BCF6-C3E81DEAF45A\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\",\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821\",\"source\":\"support@hackerone.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.ui.com/download/edgemax\",\"source\":\"support@hackerone.com\",\"tags\":[\"Product\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.ui.com/download/edgemax\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}"
}
}
Title
Ubiquiti Networks EdgeSwitch操作系统命令注入漏洞
Description
Ubiquiti Networks EdgeSwitch是美国优比快(Ubiquiti Networks)公司的一款千兆网络交换机设备。
使用v1.9.0版本固件的Ubiquiti Networks EdgeSwitch中存在命令注入漏洞。攻击者可借助HTTP接口利用该漏洞执行任意的shell命令,提升权限。
Severity
高
Patch Name
Ubiquiti Networks EdgeSwitch操作系统命令注入漏洞的补丁
Patch Description
Ubiquiti Networks EdgeSwitch是美国优比快(Ubiquiti Networks)公司的一款千兆网络交换机设备。
使用v1.9.0版本固件的Ubiquiti Networks EdgeSwitch中存在命令注入漏洞。攻击者可借助HTTP接口利用该漏洞执行任意的shell命令,提升权限。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821
Reference
https://nvd.nist.gov/vuln/detail/CVE-2020-8233
Impacted products
| Name | Ubiquiti Networks EdgeSwitch固件 1.9.0 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2020-8233",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-8233"
}
},
"description": "Ubiquiti Networks EdgeSwitch\u662f\u7f8e\u56fd\u4f18\u6bd4\u5feb\uff08Ubiquiti Networks\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5343\u5146\u7f51\u7edc\u4ea4\u6362\u673a\u8bbe\u5907\u3002\n\n\u4f7f\u7528v1.9.0\u7248\u672c\u56fa\u4ef6\u7684Ubiquiti Networks EdgeSwitch\u4e2d\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9HTTP\u63a5\u53e3\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u7684shell\u547d\u4ee4\uff0c\u63d0\u5347\u6743\u9650\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2020-49702",
"openTime": "2020-08-31",
"patchDescription": "Ubiquiti Networks EdgeSwitch\u662f\u7f8e\u56fd\u4f18\u6bd4\u5feb\uff08Ubiquiti Networks\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5343\u5146\u7f51\u7edc\u4ea4\u6362\u673a\u8bbe\u5907\u3002\r\n\r\n\u4f7f\u7528v1.9.0\u7248\u672c\u56fa\u4ef6\u7684Ubiquiti Networks EdgeSwitch\u4e2d\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9HTTP\u63a5\u53e3\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u7684shell\u547d\u4ee4\uff0c\u63d0\u5347\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Ubiquiti Networks EdgeSwitch\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Ubiquiti Networks EdgeSwitch\u56fa\u4ef6 1.9.0"
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-8233",
"serverity": "\u9ad8",
"submitTime": "2020-08-18",
"title": "Ubiquiti Networks EdgeSwitch\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}
FKIE_CVE-2020-8233
Vulnerability from fkie_nvd - Published: 2020-08-17 16:15 - Updated: 2026-06-17 03:26
Severity
Summary
A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ui | edgeswitch_firmware | * | |
| ui | ep-16-xg | - | |
| ui | ep-s16 | - | |
| ui | es-12f | - | |
| ui | es-16-150w | - | |
| ui | es-24-250w | - | |
| ui | es-24-500w | - | |
| ui | es-24-lite | - | |
| ui | es-48-500w | - | |
| ui | es-48-750w | - | |
| ui | es-48-lite | - | |
| ui | es-8-150w | - | |
| opensuse | backports_sle | 15.0 | |
| opensuse | backports_sle | 15.0 | |
| opensuse | leap | 15.1 | |
| opensuse | leap | 15.2 |
{
"affected": [
{
"affectedData": [
{
"product": "EdgeSwitch firmware v1.9.0 and prior",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed version EdgeSwitch firmware v1.9.1"
}
]
}
],
"source": "support@hackerone.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ui:edgeswitch_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99D34145-C467-493B-8055-6CB58FE29C37",
"versionEndExcluding": "1.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:ep-16-xg:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AED6B48F-78E6-4BE2-A89C-36887E3CE63B",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:ui:ep-s16:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C52B2CB9-844B-4720-BEC9-A73C9994C7AC",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:ui:es-12f:-:*:*:*:*:*:*:*",
"matchCriteriaId": "35E11BF8-2295-4DC3-B463-DC305B2ED456",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:ui:es-16-150w:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD4B5024-6E26-4011-9392-26E304C0B00C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:ui:es-24-250w:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EBA2938D-8AF2-47D5-B881-AD27A999989D",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:ui:es-24-500w:-:*:*:*:*:*:*:*",
"matchCriteriaId": "2CDFD81A-C3D6-4B54-97C6-718FEB23C57C",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:ui:es-24-lite:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0085DBEE-368A-400D-A2E7-AC090CCD6324",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:ui:es-48-500w:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D7AC5ECE-A2E4-4AD8-B65D-4B5CFFF0A044",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:ui:es-48-750w:-:*:*:*:*:*:*:*",
"matchCriteriaId": "287F2ABB-2855-4938-A5F3-857744ABC4E6",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:ui:es-48-lite:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0C8A7623-0F2F-49F3-81F4-515E29A907EF",
"vulnerable": false
},
{
"criteria": "cpe:2.3:h:ui:es-8-150w:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CD0CDC1D-D5F7-437D-9544-95E8DBFBF1F7",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*",
"matchCriteriaId": "40513095-7E6E-46B3-B604-C926F1BA3568",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*",
"matchCriteriaId": "67E82302-4B77-44F3-97B1-24C18AC4A35D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerability exists in EdgeSwitch firmware \u003cv1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de inyecci\u00f3n de comandos en el firmware de EdgeSwitch versiones anteriores a v1.9.0, que permit\u00eda a un usuario autenticado de solo lectura ejecutar comandos de shell arbitrarios por medio de la interfaz HTTP, permiti\u00e9ndoles escalar privilegios."
}
],
"id": "CVE-2020-8233",
"lastModified": "2026-06-17T03:26:06.137",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-17T16:15:13.857",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c"
},
{
"source": "support@hackerone.com",
"tags": [
"Vendor Advisory"
],
"url": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821"
},
{
"source": "support@hackerone.com",
"tags": [
"Product"
],
"url": "https://www.ui.com/download/edgemax"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.ui.com/download/edgemax"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-WG23-CR77-5R75
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-25 00:00
VLAI
Details
A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.
Severity
8.8 (High)
{
"affected": [],
"aliases": [
"CVE-2020-8233"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-17T16:15:00Z",
"severity": "HIGH"
},
"details": "A command injection vulnerability exists in EdgeSwitch firmware \u003cv1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.",
"id": "GHSA-wg23-cr77-5r75",
"modified": "2022-05-25T00:00:32Z",
"published": "2022-05-24T17:26:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8233"
},
{
"type": "WEB",
"url": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c"
},
{
"type": "WEB",
"url": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821"
},
{
"type": "WEB",
"url": "https://www.ui.com/download/edgemax"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GSD-2020-8233
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-8233",
"description": "A command injection vulnerability exists in EdgeSwitch firmware \u003cv1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.",
"id": "GSD-2020-8233",
"references": [
"https://www.suse.com/security/cve/CVE-2020-8233.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-8233"
],
"details": "A command injection vulnerability exists in EdgeSwitch firmware \u003cv1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.",
"id": "GSD-2020-8233",
"modified": "2023-12-13T01:21:54.038376Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8233",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "EdgeSwitch firmware v1.9.0 and prior",
"version": {
"version_data": [
{
"version_value": "Fixed version EdgeSwitch firmware v1.9.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A command injection vulnerability exists in EdgeSwitch firmware \u003cv1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Command Injection - Generic (CWE-77)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821",
"refsource": "MISC",
"url": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821"
},
{
"name": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c",
"refsource": "MISC",
"url": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c"
},
{
"name": "https://www.ui.com/download/edgemax",
"refsource": "MISC",
"url": "https://www.ui.com/download/edgemax"
},
{
"name": "openSUSE-SU-2020:1652",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ui:edgeswitch_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.9.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:ui:es-48-750w:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:ui:es-48-500w:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:ui:es-24-500w:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:ui:es-24-250w:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:ui:es-48-lite:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:ui:es-24-lite:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:ui:es-16-150w:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:ui:es-12f:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:ui:es-8-150w:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:ui:ep-16-xg:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
},
{
"cpe23Uri": "cpe:2.3:h:ui:ep-s16:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve-assignments@hackerone.com",
"ID": "CVE-2020-8233"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A command injection vulnerability exists in EdgeSwitch firmware \u003cv1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ui.com/download/edgemax",
"refsource": "MISC",
"tags": [
"Product"
],
"url": "https://www.ui.com/download/edgemax"
},
{
"name": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821"
},
{
"name": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c",
"refsource": "MISC",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c"
},
{
"name": "openSUSE-SU-2020:1652",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2022-05-24T17:03Z",
"publishedDate": "2020-08-17T16:15Z"
}
}
}
OPENSUSE-SU-2020:1652-1
Vulnerability from csaf_opensuse - Published: 2020-10-10 18:24 - Updated: 2020-10-10 18:24Summary
Security update for nextcloud
Severity
Moderate
Notes
Title of the patch: Security update for nextcloud
Description of the patch: This update for nextcloud fixes the following issues:
nextcloud version 20.0.0 fix some security issues:
- NC-SA-2020-037
PIN for passwordless WebAuthm is asked for but not verified
- NC-SA-2020-033 (CVE-2020-8228)
Missing rate limit on signup page
- NC-SA-2020-029 (CVE-2020-8233, boo#1177346)
Re-Sharing allows increase of privileges
- NC-SA-2020-026
Passowrd of share by mail is not hashed when given on the create share call
- NC-SA-2020-023
Increase random used for encryption
- Update to 19.0.3
- Fix possible leaking scope in Flow (server#22410)
- Combine body-login rules in theming and fix twofactor and guest styling on bright colors (server#22427)
- Show better quota warning for group folders and external storage (server#22442)
- Add php docs build script (server#22448)
- Fix clicks on actions menu of non opaque file rows in acceptance tests (server#22503)
- Fix writing BLOBs to postgres with recent contacts interaction (server#22515)
- Set the mount id before calling storage wrapper (server#22519)
- Fix S3 error handling (server#22521)
- Only disable zip64 if the size is known (server#22537)
- Change free space calculation (server#22553)
- Do not keep the part file if the forbidden exception has no retry set (server#22560)
- Fix app password updating out of bounds (server#22569)
- Use the correct root to determinate the webroot for the resource (server#22579)
- Upgrade icewind/smb to 3.2.7 (server#22581)
- Bump elliptic from 6.4.1 to 6.5.3 (notifications#732)
- Fixes regression that prevented you from toggling the encryption flag (privacy#489)
- Match any non-whitespace character in filesystem pattern (serverinfo#229)
- Catch StorageNotAvailable exceptions (text#1001)
- Harden read only check on public endpoints (text#1017)
- Harden check when using token from memcache (text#1020)
- Sessionid is an int (text#1029)
- Only overwrite Ctrl-f when text is focussed (text#990)
- Set the X-Requested-With header on dav requests (viewer#582)
- Update to 19.0.2
- [stable19] lower minimum search length to 2 characters (server#21782)
- [stable19] Call openssl_pkey_export with $config and log errors. (server#21804)
- [stable19] Improve error reporting on sharing errors (server#21806)
- [stable19] Do not log RequestedRangeNotSatisfiable exceptions in DAV (server#21840)
- [stable19] Fix parsing of language code (server#21857)
- [stable19] fix typo in revokeShare() (server#21876)
- [stable19] Discourage webauthn user interaction (server#21917)
- [stable19] Encryption is ready if master key is enabled (server#21935)
- [stable19] Disable fragile comments tests (server#21939)
- [stable19] Do not double encode the userid in webauthn login (server#21953)
- [stable19] update icewind/smb to 3.2.6 (server#21955)
- [stable19] Respect default share permissions (server#21967)
- [stable19] allow admin to configure the max trashbin size (server#21975)
- [stable19] Fix risky test in twofactor_backupcodes (server#21978)
- [stable19] Fix PHPUnit deprecation warnings (server#21981)
- [stable19] fix moving files from external storage to object store trashbin (server#21983)
- [stable19] Ignore whitespace in sharing by mail (server#21991)
- [stable19] Properly fetch translation for remote wipe confirmation dialog (server#22036)
- [stable19] parse_url returns null in case a parameter is not found (server#22044)
- Bump elliptic from 6.5.2 to 6.5.3 (server#22050)
- [stable19] Correctly remove usergroup shares on removing group members (server#22053)
- [stable19] Fix height to big for iPhone when using many apps (server#22064)
- [stable19] reset the cookie internally in new API when abandoning paged results op (server#22069)
- [stable19] Add Guzzle's InvalidArgumentException (server#22070)
- [stable19] contactsmanager shall limit number of results early (server#22091)
- [stable19] Fix browser freeze on long password input (server#22094)
- [stable19] Search also the email and displayname in user mangement for groups (server#22118)
- [stable19] Ensured large image is unloaded from memory when generating previews (server#22121)
- [stable19] fix display of remote users in incoming share notifications (server#22131)
- [stable19] Reuse cache for directory mtime/size if filesystem changes can be ignored (server#22171)
- [stable19] Remove unexpected argument (server#22178)
- [stable19] Do not exit if available space cannot be determined on file transfer (server#22181)
- [stable19] Fix empty 'more' apps navigation after installing an app (server#22183)
- [stable19] Fix default log_rotate_size in config.sample.php (server#22192)
- [stable19] shortcut in reading nested group members when IN_CHAIN is available (server#22203)
- [stable19] Fix chmod on file descriptor (server#22208)
- [stable19] Do clearstatcache() on rmdir (server#22209)
- [stable19] SSE enhancement of file signature (server#22210)
- [stable19] remove logging message carrying no valuable information (server#22215)
- [stable19] Add app config option to disable 'Email was changed by admin' activity (server#22232)
- [stable19] Delete chunks if the move on an upload failed (server#22239)
- [stable19] Silence duplicate session warnings (server#22247)
- [3rdparty] Doctrine: Fix unquoted stmt fragments backslash escaping (server#22252)
- [stable19] Allow to disable share emails (server#22300)
- [stable19] Show disabled user count in occ user:report (server#22302)
- Bump 3rdparty to last stable19 commit (server#22303)
- [stable19] fixing a logged deprecation message (server#22309)
- [stable19] CalDAV: Add ability to limit sharing to owner (server#22333)
- [stable19] Only copy the link when updating a share or no password was forced (server#22337)
- [stable19] Remove encryption option for nextcloud external storage (server#22341)
- [stable19] l10n:Correct appid for WebAuthn (server#22348)
- [stable19] Properly search for users when limittogroups is enabled (server#22355)
- [stable19] SSE: make legacy format opt in (server#22381)
- [stable19] Update the CRL (server#22387)
- [stable19] Fix missing FN from federated contact (server#22400)
- [stable19] fix event icon sizes and text alignment (server#22414)
- [stable19] Bump stecman/symfony-console-completion from 0.8.0 to 0.11.0 (3rdparty#457)
- [stable19] Add Guzzle's InvalidArgumentException (3rdparty#474)
- [stable19] Doctrine: Fix unquoted stmt fragments backslash escaping (3rdparty#486)
- [stable19] Fix cypress (viewer#545)
- Move to webpack vue global config & bump deps (viewer#558)
- Update to 19.0.1
- Security update
Fix (CVE-2020-8183, NC-SA-2020-026, CWE-256)
A logic error in Nextcloud Server 19.0.0 caused a plaintext
storage of the share password when it was given on the initial
create API call.
- Update to 19.0.0
* Changes
Nextcloud Hub v19, code name “home office”, represents a big step forward
for remote collaboration in teams.
This release brings document collaboration to video chats,
introduces password-less login and improves performance.
As this is a major release, the changelog is too long to put here.
Users can look at github milestones to find what has been merged.
A quick overview of what is new:
- password-less authentication and many other security measures
- Talk 9 with built-in office document editing courtesy of Collabora, a grid view & more
- MUCH improved performance, Deck integration in Calendar, guest account groups and more!
Patchnames: openSUSE-2020-1652
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.7 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.4 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
7.5 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
8.8 (High)
Affected products
Recommended
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
critical
References
20 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nextcloud",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nextcloud fixes the following issues:\n\nnextcloud version 20.0.0 fix some security issues:\n\n - NC-SA-2020-037\n PIN for passwordless WebAuthm is asked for but not verified\n - NC-SA-2020-033 (CVE-2020-8228)\n Missing rate limit on signup page\n - NC-SA-2020-029 (CVE-2020-8233, boo#1177346)\n Re-Sharing allows increase of privileges\n - NC-SA-2020-026\n Passowrd of share by mail is not hashed when given on the create share call\n - NC-SA-2020-023\n Increase random used for encryption\n\n- Update to 19.0.3\n\n - Fix possible leaking scope in Flow (server#22410)\n - Combine body-login rules in theming and fix twofactor and guest styling on bright colors (server#22427)\n - Show better quota warning for group folders and external storage (server#22442)\n - Add php docs build script (server#22448)\n - Fix clicks on actions menu of non opaque file rows in acceptance tests (server#22503)\n - Fix writing BLOBs to postgres with recent contacts interaction (server#22515)\n - Set the mount id before calling storage wrapper (server#22519)\n - Fix S3 error handling (server#22521)\n - Only disable zip64 if the size is known (server#22537)\n - Change free space calculation (server#22553)\n - Do not keep the part file if the forbidden exception has no retry set (server#22560)\n - Fix app password updating out of bounds (server#22569)\n - Use the correct root to determinate the webroot for the resource (server#22579)\n - Upgrade icewind/smb to 3.2.7 (server#22581)\n - Bump elliptic from 6.4.1 to 6.5.3 (notifications#732)\n - Fixes regression that prevented you from toggling the encryption flag (privacy#489)\n - Match any non-whitespace character in filesystem pattern (serverinfo#229)\n - Catch StorageNotAvailable exceptions (text#1001)\n - Harden read only check on public endpoints (text#1017)\n - Harden check when using token from memcache (text#1020)\n - Sessionid is an int (text#1029)\n - Only overwrite Ctrl-f when text is focussed (text#990)\n - Set the X-Requested-With header on dav requests (viewer#582)\n\n- Update to 19.0.2\n\n - [stable19] lower minimum search length to 2 characters (server#21782)\n - [stable19] Call openssl_pkey_export with $config and log errors. (server#21804)\n - [stable19] Improve error reporting on sharing errors (server#21806)\n - [stable19] Do not log RequestedRangeNotSatisfiable exceptions in DAV (server#21840)\n - [stable19] Fix parsing of language code (server#21857)\n - [stable19] fix typo in revokeShare() (server#21876)\n - [stable19] Discourage webauthn user interaction (server#21917)\n - [stable19] Encryption is ready if master key is enabled (server#21935)\n - [stable19] Disable fragile comments tests (server#21939)\n - [stable19] Do not double encode the userid in webauthn login (server#21953)\n - [stable19] update icewind/smb to 3.2.6 (server#21955)\n - [stable19] Respect default share permissions (server#21967)\n - [stable19] allow admin to configure the max trashbin size (server#21975)\n - [stable19] Fix risky test in twofactor_backupcodes (server#21978)\n - [stable19] Fix PHPUnit deprecation warnings (server#21981)\n - [stable19] fix moving files from external storage to object store trashbin (server#21983)\n - [stable19] Ignore whitespace in sharing by mail (server#21991)\n - [stable19] Properly fetch translation for remote wipe confirmation dialog (server#22036)\n - [stable19] parse_url returns null in case a parameter is not found (server#22044)\n - Bump elliptic from 6.5.2 to 6.5.3 (server#22050)\n - [stable19] Correctly remove usergroup shares on removing group members (server#22053)\n - [stable19] Fix height to big for iPhone when using many apps (server#22064)\n - [stable19] reset the cookie internally in new API when abandoning paged results op (server#22069)\n - [stable19] Add Guzzle\u0027s InvalidArgumentException (server#22070)\n - [stable19] contactsmanager shall limit number of results early (server#22091)\n - [stable19] Fix browser freeze on long password input (server#22094)\n - [stable19] Search also the email and displayname in user mangement for groups (server#22118)\n - [stable19] Ensured large image is unloaded from memory when generating previews (server#22121)\n - [stable19] fix display of remote users in incoming share notifications (server#22131)\n - [stable19] Reuse cache for directory mtime/size if filesystem changes can be ignored (server#22171)\n - [stable19] Remove unexpected argument (server#22178)\n - [stable19] Do not exit if available space cannot be determined on file transfer (server#22181)\n - [stable19] Fix empty \u0027more\u0027 apps navigation after installing an app (server#22183)\n - [stable19] Fix default log_rotate_size in config.sample.php (server#22192)\n - [stable19] shortcut in reading nested group members when IN_CHAIN is available (server#22203)\n - [stable19] Fix chmod on file descriptor (server#22208)\n - [stable19] Do clearstatcache() on rmdir (server#22209)\n - [stable19] SSE enhancement of file signature (server#22210)\n - [stable19] remove logging message carrying no valuable information (server#22215)\n - [stable19] Add app config option to disable \u0027Email was changed by admin\u0027 activity (server#22232)\n - [stable19] Delete chunks if the move on an upload failed (server#22239)\n - [stable19] Silence duplicate session warnings (server#22247)\n - [3rdparty] Doctrine: Fix unquoted stmt fragments backslash escaping (server#22252)\n - [stable19] Allow to disable share emails (server#22300)\n - [stable19] Show disabled user count in occ user:report (server#22302)\n - Bump 3rdparty to last stable19 commit (server#22303)\n - [stable19] fixing a logged deprecation message (server#22309)\n - [stable19] CalDAV: Add ability to limit sharing to owner (server#22333)\n - [stable19] Only copy the link when updating a share or no password was forced (server#22337)\n - [stable19] Remove encryption option for nextcloud external storage (server#22341)\n - [stable19] l10n:Correct appid for WebAuthn (server#22348)\n - [stable19] Properly search for users when limittogroups is enabled (server#22355)\n - [stable19] SSE: make legacy format opt in (server#22381)\n - [stable19] Update the CRL (server#22387)\n - [stable19] Fix missing FN from federated contact (server#22400)\n - [stable19] fix event icon sizes and text alignment (server#22414)\n - [stable19] Bump stecman/symfony-console-completion from 0.8.0 to 0.11.0 (3rdparty#457)\n - [stable19] Add Guzzle\u0027s InvalidArgumentException (3rdparty#474)\n - [stable19] Doctrine: Fix unquoted stmt fragments backslash escaping (3rdparty#486)\n - [stable19] Fix cypress (viewer#545)\n - Move to webpack vue global config \u0026 bump deps (viewer#558)\n\n- Update to 19.0.1\n\n - Security update\n Fix (CVE-2020-8183, NC-SA-2020-026, CWE-256)\n A logic error in Nextcloud Server 19.0.0 caused a plaintext \n storage of the share password when it was given on the initial\n create API call.\n\n- Update to 19.0.0\n\n * Changes\n Nextcloud Hub v19, code name \u201chome office\u201d, represents a big step forward \n for remote collaboration in teams. \n This release brings document collaboration to video chats,\n introduces password-less login and improves performance.\n As this is a major release, the changelog is too long to put here. \n Users can look at github milestones to find what has been merged. \n A quick overview of what is new:\n - password-less authentication and many other security measures\n - Talk 9 with built-in office document editing courtesy of Collabora, a grid view \u0026 more\n - MUCH improved performance, Deck integration in Calendar, guest account groups and more!\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2020-1652",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1652-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2020:1652-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WWBOJYWMDZM3KUZWE3WE7OUUHDQ6Z7BX/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2020:1652-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WWBOJYWMDZM3KUZWE3WE7OUUHDQ6Z7BX/"
},
{
"category": "self",
"summary": "SUSE Bug 1171572",
"url": "https://bugzilla.suse.com/1171572"
},
{
"category": "self",
"summary": "SUSE Bug 1171579",
"url": "https://bugzilla.suse.com/1171579"
},
{
"category": "self",
"summary": "SUSE Bug 1177346",
"url": "https://bugzilla.suse.com/1177346"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-8154 page",
"url": "https://www.suse.com/security/cve/CVE-2020-8154/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-8155 page",
"url": "https://www.suse.com/security/cve/CVE-2020-8155/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-8183 page",
"url": "https://www.suse.com/security/cve/CVE-2020-8183/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-8228 page",
"url": "https://www.suse.com/security/cve/CVE-2020-8228/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-8233 page",
"url": "https://www.suse.com/security/cve/CVE-2020-8233/"
}
],
"title": "Security update for nextcloud",
"tracking": {
"current_release_date": "2020-10-10T18:24:59Z",
"generator": {
"date": "2020-10-10T18:24:59Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2020:1652-1",
"initial_release_date": "2020-10-10T18:24:59Z",
"revision_history": [
{
"date": "2020-10-10T18:24:59Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nextcloud-20.0.0-bp152.2.3.1.noarch",
"product": {
"name": "nextcloud-20.0.0-bp152.2.3.1.noarch",
"product_id": "nextcloud-20.0.0-bp152.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 12",
"product": {
"name": "SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP1",
"product": {
"name": "SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1"
}
},
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP2",
"product": {
"name": "SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.1",
"product": {
"name": "openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.1"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-20.0.0-bp152.2.3.1.noarch as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch"
},
"product_reference": "nextcloud-20.0.0-bp152.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-20.0.0-bp152.2.3.1.noarch as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch"
},
"product_reference": "nextcloud-20.0.0-bp152.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-20.0.0-bp152.2.3.1.noarch as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch"
},
"product_reference": "nextcloud-20.0.0-bp152.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-20.0.0-bp152.2.3.1.noarch as component of openSUSE Leap 15.1",
"product_id": "openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch"
},
"product_reference": "nextcloud-20.0.0-bp152.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-20.0.0-bp152.2.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
},
"product_reference": "nextcloud-20.0.0-bp152.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8154",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-8154"
}
],
"notes": [
{
"category": "general",
"text": "An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-8154",
"url": "https://www.suse.com/security/cve/CVE-2020-8154"
},
{
"category": "external",
"summary": "SUSE Bug 1171579 for CVE-2020-8154",
"url": "https://bugzilla.suse.com/1171579"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-10T18:24:59Z",
"details": "moderate"
}
],
"title": "CVE-2020-8154"
},
{
"cve": "CVE-2020-8155",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-8155"
}
],
"notes": [
{
"category": "general",
"text": "An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-8155",
"url": "https://www.suse.com/security/cve/CVE-2020-8155"
},
{
"category": "external",
"summary": "SUSE Bug 1171572 for CVE-2020-8155",
"url": "https://bugzilla.suse.com/1171572"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-10T18:24:59Z",
"details": "low"
}
],
"title": "CVE-2020-8155"
},
{
"cve": "CVE-2020-8183",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-8183"
}
],
"notes": [
{
"category": "general",
"text": "A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-8183",
"url": "https://www.suse.com/security/cve/CVE-2020-8183"
},
{
"category": "external",
"summary": "SUSE Bug 1178384 for CVE-2020-8183",
"url": "https://bugzilla.suse.com/1178384"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-10T18:24:59Z",
"details": "important"
}
],
"title": "CVE-2020-8183"
},
{
"cve": "CVE-2020-8228",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-8228"
}
],
"notes": [
{
"category": "general",
"text": "A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-8228",
"url": "https://www.suse.com/security/cve/CVE-2020-8228"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-10T18:24:59Z",
"details": "moderate"
}
],
"title": "CVE-2020-8228"
},
{
"cve": "CVE-2020-8233",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-8233"
}
],
"notes": [
{
"category": "general",
"text": "A command injection vulnerability exists in EdgeSwitch firmware \u003cv1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-8233",
"url": "https://www.suse.com/security/cve/CVE-2020-8233"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.1:nextcloud-20.0.0-bp152.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.0-bp152.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2020-10-10T18:24:59Z",
"details": "critical"
}
],
"title": "CVE-2020-8233"
}
]
}
VAR-202008-0980
Vulnerability from variot - Updated: 2024-11-23 22:55A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges. EdgeSwitch For firmware, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Ubiquiti Networks EdgeSwitch is a gigabit network switch device of Ubiquiti Networks
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202008-0980",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "edgeswitch",
"scope": "lt",
"trust": 1.0,
"vendor": "ui",
"version": "1.9.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.1"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.2"
},
{
"model": "backports sle",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.0"
},
{
"model": "edgeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "ubiquiti",
"version": "1.9.0"
},
{
"model": "networks edgeswitch",
"scope": "eq",
"trust": 0.6,
"vendor": "ubiquiti",
"version": "1.9.0"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-49702"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009588"
},
{
"db": "NVD",
"id": "CVE-2020-8233"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:ubiquiti_networks:edgeswitch_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-009588"
}
]
},
"cve": "CVE-2020-8233",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CVE-2020-8233",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "JVNDB-2020-009588",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CNVD-2020-49702",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2020-8233",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2020-009588",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-8233",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "JVNDB-2020-009588",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2020-49702",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202008-859",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-49702"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009588"
},
{
"db": "CNNVD",
"id": "CNNVD-202008-859"
},
{
"db": "NVD",
"id": "CVE-2020-8233"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A command injection vulnerability exists in EdgeSwitch firmware \u003cv1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges. EdgeSwitch For firmware, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Ubiquiti Networks EdgeSwitch is a gigabit network switch device of Ubiquiti Networks",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-8233"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009588"
},
{
"db": "CNVD",
"id": "CNVD-2020-49702"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-8233",
"trust": 3.0
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009588",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2020-49702",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "48737",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202008-859",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-49702"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009588"
},
{
"db": "CNNVD",
"id": "CNNVD-202008-859"
},
{
"db": "NVD",
"id": "CVE-2020-8233"
}
]
},
"id": "VAR-202008-0980",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-49702"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-49702"
}
]
},
"last_update_date": "2024-11-23T22:55:05.303000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Security advisory bulletin 014",
"trust": 0.8,
"url": "https://community.ui.com/releases/Security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821"
},
{
"title": "EdgeMAX EdgeSwitch Firmware v1.9.1",
"trust": 0.8,
"url": "https://community.ui.com/releases/EdgeMAX-EdgeSwitch-Firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c"
},
{
"title": "EdgeMAX",
"trust": 0.8,
"url": "https://www.ui.com/download/edgemax/"
},
{
"title": "Patch for Ubiquiti Networks EdgeSwitch operating system command injection vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/232414"
},
{
"title": "Ubiquiti Networks EdgeSwitch Fixes for command injection vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=126546"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-49702"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009588"
},
{
"db": "CNNVD",
"id": "CNNVD-202008-859"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.8
},
{
"problemtype": "CWE-77",
"trust": 1.0
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-009588"
},
{
"db": "NVD",
"id": "CVE-2020-8233"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8233"
},
{
"trust": 1.6,
"url": "https://community.ui.com/releases/security-advisory-bulletin-014-014/1c32c056-2c64-4e60-ac23-ce7d8f387821"
},
{
"trust": 1.6,
"url": "https://community.ui.com/releases/edgemax-edgeswitch-firmware-v1-9-1-v1-9-1/8a87dfc5-70f5-4055-8d67-570db1f5695c"
},
{
"trust": 1.6,
"url": "https://www.ui.com/download/edgemax"
},
{
"trust": 1.6,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-8233"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/48737"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-49702"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009588"
},
{
"db": "CNNVD",
"id": "CNNVD-202008-859"
},
{
"db": "NVD",
"id": "CVE-2020-8233"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-49702"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-009588"
},
{
"db": "CNNVD",
"id": "CNNVD-202008-859"
},
{
"db": "NVD",
"id": "CVE-2020-8233"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-08-31T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-49702"
},
{
"date": "2020-11-19T05:37:48",
"db": "JVNDB",
"id": "JVNDB-2020-009588"
},
{
"date": "2020-08-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202008-859"
},
{
"date": "2020-08-17T16:15:13.857000",
"db": "NVD",
"id": "CVE-2020-8233"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-08-31T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-49702"
},
{
"date": "2020-11-19T05:37:48",
"db": "JVNDB",
"id": "JVNDB-2020-009588"
},
{
"date": "2022-03-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202008-859"
},
{
"date": "2024-11-21T05:38:33.437000",
"db": "NVD",
"id": "CVE-2020-8233"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202008-859"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ubiquiti Networks EdgeSwitch operating system command injection vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-49702"
},
{
"db": "CNNVD",
"id": "CNNVD-202008-859"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202008-859"
}
],
"trust": 0.6
}
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…