CVE-2020-15080 - Vulnerability Details - OpenCVE

In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00206.

Key SSVC decision points have not yet been added.

Vendors	Products
Prestashop	Prestashop

Configuration 1 [-]

cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2020-7208	In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-07-02T16:45:19

Updated: 2024-08-04T13:08:21.779Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15080

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-07-02T17:15:12.200

Modified: 2024-11-21T05:04:46.203

Link: CVE-2020-15080

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "PrestaShop", "vendor": "PrestaShop", "versions": [{"status": "affected", "version": ">= 1.7.4.0, <1.7.6.6"}]}], "descriptions": [{"lang": "en", "value": "In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-02T16:45:19", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76"}], "source": {"advisory": "GHSA-492w-2pp5-xhvg", "discovery": "UNKNOWN"}, "title": "Information disclosure in release archive in PrestaShop", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15080", "STATE": "PUBLIC", "TITLE": "Information disclosure in release archive in PrestaShop"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PrestaShop", "version": {"version_data": [{"version_value": ">= 1.7.4.0, <1.7.6.6"}]}}]}, "vendor_name": "PrestaShop"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg", "refsource": "CONFIRM", "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg"}, {"name": "https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76", "refsource": "MISC", "url": "https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76"}]}, "source": {"advisory": "GHSA-492w-2pp5-xhvg", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:21.779Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15080", "datePublished": "2020-07-02T16:45:19", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:21.779Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6FF3203-0ACB-496C-A67C-D3D3E28D7414", "versionEndExcluding": "1.7.6.6", "versionStartExcluding": "1.7.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server."}, {"lang": "es", "value": "En PrestaShop desde versi\u00f3n 1.7.4.0 y anteriores a versi\u00f3n 1.7.6.6, algunos archivos no deber\u00edan estar en el archivo de publicaci\u00f3n, y otros no deber\u00edan ser accesibles. El problema es corregido en versi\u00f3n 1.7.6.6. Una posible soluci\u00f3n alternativa es asegurarse de que \"composer.json\" y \"docker-compose.yml\" no sean accesibles en su servidor"}], "id": "CVE-2020-15080", "lastModified": "2024-11-21T05:04:46.203", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-02T17:15:12.200", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}