Vulnerability-Lookup

GHSA-W7CR-RVWX-67Q2

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35

Details

AEM Forms SP6 add-on for AEM 6.5.6.0 and Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) have a blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability could be exploited by an unauthenticated attacker to gather information about internal systems that reside on the same network.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-24444"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-10T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "AEM Forms SP6 add-on for AEM 6.5.6.0 and Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) have a blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability could be exploited by an unauthenticated attacker to gather information about internal systems that reside on the same network.",
  "id": "GHSA-w7cr-rvwx-67q2",
  "modified": "2022-05-24T17:35:56Z",
  "published": "2022-05-24T17:35:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24444"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2020-24444 (GCVE-0-2020-24444)

Vulnerability from cvelistv5 – Published: 2020-12-10 05:32 – Updated: 2024-09-17 01:11

Title

Blind SSRF in Forms add-on for AEM

Summary

Severity

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF) (CWE-918)

Assigner

adobe

References

1 reference

URL	Tags
https://helpx.adobe.com/security/products/experie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Adobe	Experience Manager	Affected: <= Forms SP6 add-on for AEM 6.5.6.0 Affected: <= Forms SP8 add-on for AEM 6.4.8.2 Affected: <= None

Date Public

2020-12-08 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:12:08.932Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Experience Manager",
          "vendor": "Adobe",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= Forms SP6 add-on for AEM 6.5.6.0"
            },
            {
              "status": "affected",
              "version": "\u003c= Forms SP8 add-on for AEM 6.4.8.2"
            },
            {
              "status": "affected",
              "version": "\u003c= None"
            }
          ]
        }
      ],
      "datePublic": "2020-12-08T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "AEM Forms SP6 add-on for AEM 6.5.6.0 and Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) have a blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability could be exploited by an unauthenticated attacker to gather information about internal systems that reside on the same network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "Server-Side Request Forgery (SSRF) (CWE-918)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-10T05:32:53.000Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Blind SSRF in Forms add-on for AEM",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@adobe.com",
          "DATE_PUBLIC": "2020-12-08T23:00:00.000Z",
          "ID": "CVE-2020-24444",
          "STATE": "PUBLIC",
          "TITLE": "Blind SSRF in Forms add-on for AEM"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Experience Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c= Forms SP6 add-on for AEM 6.5.6.0"
                          },
                          {
                            "version_value": "\u003c= Forms SP8 add-on for AEM 6.4.8.2"
                          },
                          {
                            "version_value": "\u003c= None"
                          },
                          {
                            "version_value": "\u003c= None"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Adobe"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "AEM Forms SP6 add-on for AEM 6.5.6.0 and Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) have a blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability could be exploited by an unauthenticated attacker to gather information about internal systems that reside on the same network."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "availabilityImpact": "None",
            "baseScore": 5.8,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "Changed",
            "userInteraction": "None",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Server-Side Request Forgery (SSRF) (CWE-918)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html",
              "refsource": "CONFIRM",
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2020-24444",
    "datePublished": "2020-12-10T05:32:53.787Z",
    "dateReserved": "2020-08-19T00:00:00.000Z",
    "dateUpdated": "2024-09-17T01:11:53.601Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-W7CR-RVWX-67Q2

CVE-2020-24444 (GCVE-0-2020-24444)

Tags

Sightings

Nomenclature