CVE-2020-15120 - OpenCVE

In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ihatemoney	I Hate Money

Configuration 1 [-]

cpe:2.3:a:ihatemoney:i_hate_money:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471
https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-07-27T17:50:12

Updated: 2024-08-04T13:08:21.957Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15120

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-07-27T18:15:13.983

Modified: 2020-07-29T18:09:36.850

Link: CVE-2020-15120

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ihatemoney", "vendor": "spiral-project", "versions": [{"status": "affected", "version": "< 4.1.5"}]}], "descriptions": [{"lang": "en", "value": "In \"I hate money\" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "{\"CWE-863\":\"Incorrect Authorization\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-28T17:07:27", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471"}], "source": {"advisory": "GHSA-67j9-c52g-w2q9", "discovery": "UNKNOWN"}, "title": "Authorization Bypass in I hate money", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15120", "STATE": "PUBLIC", "TITLE": "Authorization Bypass in I hate money"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ihatemoney", "version": {"version_data": [{"version_value": "< 4.1.5"}]}}]}, "vendor_name": "spiral-project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In \"I hate money\" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-863\":\"Incorrect Authorization\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9", "refsource": "CONFIRM", "url": "https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9"}, {"name": "https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471", "refsource": "MISC", "url": "https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471"}]}, "source": {"advisory": "GHSA-67j9-c52g-w2q9", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:21.957Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15120", "datePublished": "2020-07-27T17:50:12", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:21.957Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ihatemoney:i_hate_money:*:*:*:*:*:*:*:*", "matchCriteriaId": "454CE36C-D558-461D-99E5-6A533CD5C59A", "versionEndExcluding": "4.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In \"I hate money\" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5."}, {"lang": "es", "value": "En \"I hate money\" antes de la versi\u00f3n 4.1.5, un miembro autenticado de un proyecto puede modificar y eliminar miembros de otro proyecto, sin conocer el c\u00f3digo privado de este otro proyecto. Esto puede ser explotado a\u00fan m\u00e1s para acceder a todas las facturas de otro proyecto sin conocer el c\u00f3digo privado de este otro proyecto. Con la configuraci\u00f3n predeterminada, es permitido a cualquiera crear un nuevo proyecto. Un atacante puede crear un nuevo proyecto y luego usarlo para autenticarse y explotar este fallo. Como tal, la exposici\u00f3n es similar a un ataque no autenticado, porque es muy sencillo autenticarse. Esto est\u00e1 corregido en la versi\u00f3n 4.1.5"}], "id": "CVE-2020-15120", "lastModified": "2020-07-29T18:09:36.850", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-07-27T18:15:13.983", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}