{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Session management does not use a sufficiently hard-to-guess session key. Anyone who can guess the microsecond time (and the incrementing session_id) can impersonate a session."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-09-28T17:06:22.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/davical-project/awl/-/issues/19"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956650"}, {"name": "[debian-lts-announce] 20200417 [SECURITY] [DLA 2178-1] awl security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00011.html"}, {"name": "DSA-4660", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4660"}, {"name": "USN-4539-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4539-1/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-11728", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Session management does not use a sufficiently hard-to-guess session key. Anyone who can guess the microsecond time (and the incrementing session_id) can impersonate a session."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.com/davical-project/awl/-/issues/19", "refsource": "MISC", "url": "https://gitlab.com/davical-project/awl/-/issues/19"}, {"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956650", "refsource": "MISC", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956650"}, {"name": "[debian-lts-announce] 20200417 [SECURITY] [DLA 2178-1] awl security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00011.html"}, {"name": "DSA-4660", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4660"}, {"name": "USN-4539-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4539-1/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:41:59.965Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/davical-project/awl/-/issues/19"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956650"}, {"name": "[debian-lts-announce] 20200417 [SECURITY] [DLA 2178-1] awl security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00011.html"}, {"name": "DSA-4660", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2020/dsa-4660"}, {"name": "USN-4539-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4539-1/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-11728", "datePublished": "2020-04-15T15:37:12.000Z", "dateReserved": "2020-04-12T00:00:00.000Z", "dateUpdated": "2024-08-04T11:41:59.965Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:davical:andrew\\'s_web_libraries:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB204E5C-5C64-4CEA-A567-0DADDE0F5610", "versionEndIncluding": "0.60", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Session management does not use a sufficiently hard-to-guess session key. Anyone who can guess the microsecond time (and the incrementing session_id) can impersonate a session."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en DAViCal Andrew's Web Libraries (AWL) versiones hasta el 0,60. La administraci\u00f3n de sesiones no usa una clave de sesi\u00f3n lo suficientemente dif\u00edcil de adivinar. Cualquiera que pueda adivinar el tiempo de microsegundos (y el incremento del session_id) puede suplantar una sesi\u00f3n."}], "id": "CVE-2020-11728", "lastModified": "2024-11-21T04:58:29.770", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-15T16:15:16.643", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956650"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://gitlab.com/davical-project/awl/-/issues/19"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00011.html"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4539-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4660"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956650"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://gitlab.com/davical-project/awl/-/issues/19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00011.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://usn.ubuntu.com/4539-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4660"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}