CVE-2020-12146 - Vulnerability Details - OpenCVE

Description

In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API.

Published: 2020-11-05

Score: 6.6 Medium

EPSS: 44.6% Moderate

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Silver Peak Systems, Inc.

Unity Orchestrator

affected

Version	Status	Constraints
`All versions affected prior to Silver Peak Unity Orchestrator 8.9.11+`	affected	—
`8.10.11+`	affected	—
`or 9.0.1+.`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:silver-peak:unity_orchestrator::::::::
	cpe:2.3:a:silver-peak:unity_orchestrator::::::::
	cpe:2.3:a:silver-peak:unity_orchestrator::::::::

No data.

No data available yet.

Remediation

Vendor Solution

Recommended Actions for Silver Peak Customers: Upgrade to Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.44649.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.silver-peak.com/support/user-documentation/security-advisories

History

No history.

Subscriptions

Silver-peak Unity Orchestrator

MITRE

Status: PUBLISHED

Assigner: Silver Peak

Published: 2020-11-05T18:51:45.101Z

Updated: 2024-09-17T00:30:55.637Z

Reserved: 2020-04-24T00:00:00.000Z

Link: CVE-2020-12146

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-11-05T19:15:12.600

Modified: 2024-11-21T04:59:21.400

Link: CVE-2020-12146

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-22

{"containers": {"cna": {"affected": [{"product": "Unity Orchestrator", "vendor": "Silver Peak Systems, Inc.", "versions": [{"status": "affected", "version": "All versions affected prior to Silver Peak Unity Orchestrator 8.9.11+"}, {"status": "affected", "version": "8.10.11+"}, {"status": "affected", "version": "or 9.0.1+."}]}], "credits": [{"lang": "en", "value": "This vulnerability was reported to Silver Peak by the security team at Realmode Labs."}], "datePublic": "2020-10-31T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "CVE-2020-12147", "lang": "en", "type": "text"}]}, {"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-05T18:51:45.000Z", "orgId": "83cc1b1a-46b0-4ac1-94f2-bbef3319bc4c", "shortName": "Silver Peak"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.silver-peak.com/support/user-documentation/security-advisories"}], "solutions": [{"lang": "en", "value": "Recommended Actions for Silver Peak Customers: Upgrade to Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+."}], "source": {"advisory": "Security Advisory 2020-10-31-01-002", "discovery": "EXTERNAL"}, "title": "Silver Peak Unity OrchestratorTM subject to path traversal.", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "sirt@silver-peak.com", "DATE_PUBLIC": "2020-10-31T16:00:00.000Z", "ID": "CVE-2020-12146", "STATE": "PUBLIC", "TITLE": "Silver Peak Unity OrchestratorTM subject to path traversal."}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Unity Orchestrator", "version": {"version_data": [{"version_value": "All versions affected prior to Silver Peak Unity Orchestrator 8.9.11+"}, {"version_value": "8.10.11+"}, {"version_value": "or 9.0.1+."}]}}]}, "vendor_name": "Silver Peak Systems, Inc."}]}}, "credit": [{"lang": "eng", "value": "This vulnerability was reported to Silver Peak by the security team at Realmode Labs."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CVE-2020-12147"}]}, {"description": [{"lang": "eng", "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://www.silver-peak.com/support/user-documentation/security-advisories", "refsource": "MISC", "url": "https://www.silver-peak.com/support/user-documentation/security-advisories"}]}, "solution": [{"lang": "en", "value": "Recommended Actions for Silver Peak Customers: Upgrade to Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+."}], "source": {"advisory": "Security Advisory 2020-10-31-01-002", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:48:58.409Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.silver-peak.com/support/user-documentation/security-advisories"}]}]}, "cveMetadata": {"assignerOrgId": "83cc1b1a-46b0-4ac1-94f2-bbef3319bc4c", "assignerShortName": "Silver Peak", "cveId": "CVE-2020-12146", "datePublished": "2020-11-05T18:51:45.101Z", "dateReserved": "2020-04-24T00:00:00.000Z", "dateUpdated": "2024-09-17T00:30:55.637Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:silver-peak:unity_orchestrator:*:*:*:*:*:*:*:*", "matchCriteriaId": "F57E088F-B275-47E0-87E9-D392F5E78CA7", "versionEndExcluding": "8.9.11\\+", "vulnerable": true}, {"criteria": "cpe:2.3:a:silver-peak:unity_orchestrator:*:*:*:*:*:*:*:*", "matchCriteriaId": "06BDDCC0-D63B-4729-9FB7-95B89A54389A", "versionEndExcluding": "8.10.11\\+", "versionStartIncluding": "8.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:silver-peak:unity_orchestrator:*:*:*:*:*:*:*:*", "matchCriteriaId": "5302B8F8-6B84-48F0-BD59-8FF7368AB888", "versionEndExcluding": "9.0.1\\+", "versionStartIncluding": "9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API."}, {"lang": "es", "value": "En Silver Peak Unity Orchestrator versiones anteriores a 8.9.11+, 8.10.11+ o 9.0.1+, un usuario autenticado puede acceder, modificar y eliminar archivos restringidos en el servidor de Orchestrator usando la API REST /debugFiles"}], "id": "CVE-2020-12146", "lastModified": "2024-11-21T04:59:21.400", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "sirt@silver-peak.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-05T19:15:12.600", "references": [{"source": "sirt@silver-peak.com", "tags": ["Vendor Advisory"], "url": "https://www.silver-peak.com/support/user-documentation/security-advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.silver-peak.com/support/user-documentation/security-advisories"}], "sourceIdentifier": "sirt@silver-peak.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "sirt@silver-peak.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}