CVE-2020-12146 - OpenCVE

In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Silver-peak	Unity Orchestrator

Configuration 1 [-]

OR	cpe:2.3:a:silver-peak:unity_orchestrator::::::::
	cpe:2.3:a:silver-peak:unity_orchestrator::::::::
	cpe:2.3:a:silver-peak:unity_orchestrator::::::::

No data.

References

Link	Providers
https://www.silver-peak.com/support/user-documentation/security-advisories

History

No history.

MITRE

Status: PUBLISHED

Assigner: Silver Peak

Published: 2020-11-05T18:51:45.101913Z

Updated: 2024-09-17T00:30:55.637Z

Reserved: 2020-04-24T00:00:00

Link: CVE-2020-12146

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-05T19:15:12.600

Modified: 2020-11-12T17:12:56.537

Link: CVE-2020-12146

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Unity Orchestrator", "vendor": "Silver Peak Systems, Inc.", "versions": [{"status": "affected", "version": "All versions affected prior to Silver Peak Unity Orchestrator 8.9.11+"}, {"status": "affected", "version": "8.10.11+"}, {"status": "affected", "version": "or 9.0.1+."}]}], "credits": [{"lang": "en", "value": "This vulnerability was reported to Silver Peak by the security team at Realmode Labs."}], "datePublic": "2020-10-31T00:00:00", "descriptions": [{"lang": "en", "value": "In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "CVE-2020-12147", "lang": "en", "type": "text"}]}, {"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-05T18:51:45", "orgId": "83cc1b1a-46b0-4ac1-94f2-bbef3319bc4c", "shortName": "Silver Peak"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.silver-peak.com/support/user-documentation/security-advisories"}], "solutions": [{"lang": "en", "value": "Recommended Actions for Silver Peak Customers: Upgrade to Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+."}], "source": {"advisory": "Security Advisory 2020-10-31-01-002", "discovery": "EXTERNAL"}, "title": "Silver Peak Unity OrchestratorTM subject to path traversal.", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "sirt@silver-peak.com", "DATE_PUBLIC": "2020-10-31T16:00:00.000Z", "ID": "CVE-2020-12146", "STATE": "PUBLIC", "TITLE": "Silver Peak Unity OrchestratorTM subject to path traversal."}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Unity Orchestrator", "version": {"version_data": [{"version_value": "All versions affected prior to Silver Peak Unity Orchestrator 8.9.11+"}, {"version_value": "8.10.11+"}, {"version_value": "or 9.0.1+."}]}}]}, "vendor_name": "Silver Peak Systems, Inc."}]}}, "credit": [{"lang": "eng", "value": "This vulnerability was reported to Silver Peak by the security team at Realmode Labs."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CVE-2020-12147"}]}, {"description": [{"lang": "eng", "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://www.silver-peak.com/support/user-documentation/security-advisories", "refsource": "MISC", "url": "https://www.silver-peak.com/support/user-documentation/security-advisories"}]}, "solution": [{"lang": "en", "value": "Recommended Actions for Silver Peak Customers: Upgrade to Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+."}], "source": {"advisory": "Security Advisory 2020-10-31-01-002", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:48:58.409Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.silver-peak.com/support/user-documentation/security-advisories"}]}]}, "cveMetadata": {"assignerOrgId": "83cc1b1a-46b0-4ac1-94f2-bbef3319bc4c", "assignerShortName": "Silver Peak", "cveId": "CVE-2020-12146", "datePublished": "2020-11-05T18:51:45.101913Z", "dateReserved": "2020-04-24T00:00:00", "dateUpdated": "2024-09-17T00:30:55.637Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:silver-peak:unity_orchestrator:*:*:*:*:*:*:*:*", "matchCriteriaId": "F57E088F-B275-47E0-87E9-D392F5E78CA7", "versionEndExcluding": "8.9.11\\+", "vulnerable": true}, {"criteria": "cpe:2.3:a:silver-peak:unity_orchestrator:*:*:*:*:*:*:*:*", "matchCriteriaId": "06BDDCC0-D63B-4729-9FB7-95B89A54389A", "versionEndExcluding": "8.10.11\\+", "versionStartIncluding": "8.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:silver-peak:unity_orchestrator:*:*:*:*:*:*:*:*", "matchCriteriaId": "5302B8F8-6B84-48F0-BD59-8FF7368AB888", "versionEndExcluding": "9.0.1\\+", "versionStartIncluding": "9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+, an authenticated user can access, modify, and delete restricted files on the Orchestrator server using the/debugFiles REST API."}, {"lang": "es", "value": "En Silver Peak Unity Orchestrator versiones anteriores a 8.9.11+, 8.10.11+ o 9.0.1+, un usuario autenticado puede acceder, modificar y eliminar archivos restringidos en el servidor de Orchestrator usando la API REST /debugFiles"}], "id": "CVE-2020-12146", "lastModified": "2020-11-12T17:12:56.537", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "sirt@silver-peak.com", "type": "Secondary"}]}, "published": "2020-11-05T19:15:12.600", "references": [{"source": "sirt@silver-peak.com", "tags": ["Vendor Advisory"], "url": "https://www.silver-peak.com/support/user-documentation/security-advisories"}], "sourceIdentifier": "sirt@silver-peak.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "sirt@silver-peak.com", "type": "Secondary"}]}