Vulnerability-Lookup

CNVD-2020-23200

Vulnerability from cnvd - Published: 2020-04-17

Title

OpenWrt LuCI信息泄露漏洞

Description

OpenWrt LuCI是一款用于OpenWrt（Linux发行版）的图形化配置界面。 OpenWrt LuCI git-20.x版本中存在信息泄露漏洞，远程攻击者可利用该漏洞检索已安装的软件包和服务的列表。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://github.com/openwrt/luci

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-10871

Impacted products

Name
OpenWrt LuCI git-20.x

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-10871"
    }
  },
  "description": "OpenWrt LuCI\u662f\u4e00\u6b3e\u7528\u4e8eOpenWrt\uff08Linux\u53d1\u884c\u7248\uff09\u7684\u56fe\u5f62\u5316\u914d\u7f6e\u754c\u9762\u3002\n\nOpenWrt LuCI git-20.x\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u68c0\u7d22\u5df2\u5b89\u88c5\u7684\u8f6f\u4ef6\u5305\u548c\u670d\u52a1\u7684\u5217\u8868\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://github.com/openwrt/luci",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-23200",
  "openTime": "2020-04-17",
  "products": {
    "product": "OpenWrt LuCI git-20.x"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-10871",
  "serverity": "\u4e2d",
  "submitTime": "2020-03-24",
  "title": "OpenWrt LuCI\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2020-10871 (GCVE-0-2020-10871)

Vulnerability from cvelistv5 – Published: 2020-03-23 19:45 – Updated: 2024-08-04 11:14 Disputed

Summary

In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information further

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/openwrt/luci/issues/3563#issue…	x_refsource_MISC
	https://github.com/openwrt/luci/issues/3653#issue…	x_refsource_MISC
	https://github.com/openwrt/luci/issues/3766	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:14:15.626Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/openwrt/luci/issues/3563#issuecomment-578522860"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/openwrt/luci/issues/3653#issue-567892007"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/openwrt/luci/issues/3766"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information further"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-23T19:45:25.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openwrt/luci/issues/3563#issuecomment-578522860"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openwrt/luci/issues/3653#issue-567892007"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openwrt/luci/issues/3766"
        }
      ],
      "tags": [
        "disputed"
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-10871",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "** DISPUTED ** In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information further."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/openwrt/luci/issues/3563#issuecomment-578522860",
              "refsource": "MISC",
              "url": "https://github.com/openwrt/luci/issues/3563#issuecomment-578522860"
            },
            {
              "name": "https://github.com/openwrt/luci/issues/3653#issue-567892007",
              "refsource": "MISC",
              "url": "https://github.com/openwrt/luci/issues/3653#issue-567892007"
            },
            {
              "name": "https://github.com/openwrt/luci/issues/3766",
              "refsource": "MISC",
              "url": "https://github.com/openwrt/luci/issues/3766"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-10871",
    "datePublished": "2020-03-23T19:45:25.000Z",
    "dateReserved": "2020-03-23T00:00:00.000Z",
    "dateUpdated": "2024-08-04T11:14:15.626Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-23200

CVE-2020-10871 (GCVE-0-2020-10871)

Tags

Sightings

Nomenclature