CVE-2020-15153 - Vulnerability Details - OpenCVE

Description

Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection. Refer to the referenced GitHub Security Advisory for details and a workaround. This is fixed in version 4.2.2 and the development branch.

Published: 2021-04-30

Score: 8.2 High

EPSS: 2.1% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ampache

ampache

affected

Version	Status	Constraints
`< 4.2.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:ampache:ampache:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2020-7233	Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection. Refer to the referenced GitHub Security Advisory for details and a workaround. This is fixed in version 4.2.2 and the development branch.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.02059.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/ampache/ampache/commit/e92cb6154c32c513b9c07e5fdbf5ac7de81ef5ed
https://github.com/ampache/ampache/releases/tag/4.2.2
https://github.com/ampache/ampache/security/advisories/GHSA-phr3-mpx5-7826

History

No history.

Subscriptions

Ampache Ampache

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-04-30T15:20:16.000Z

Updated: 2024-08-04T13:08:22.314Z

Reserved: 2020-06-25T00:00:00.000Z

Link: CVE-2020-15153

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-04-30T16:15:07.447

Modified: 2024-11-21T05:04:57.403

Link: CVE-2020-15153

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-89

{"containers": {"cna": {"affected": [{"product": "ampache", "vendor": "ampache", "versions": [{"status": "affected", "version": "< 4.2.2"}]}], "descriptions": [{"lang": "en", "value": "Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection. Refer to the referenced GitHub Security Advisory for details and a workaround. This is fixed in version 4.2.2 and the development branch."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "{\"CWE-89\":\"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-30T15:20:15.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ampache/ampache/security/advisories/GHSA-phr3-mpx5-7826"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ampache/ampache/commit/e92cb6154c32c513b9c07e5fdbf5ac7de81ef5ed"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ampache/ampache/releases/tag/4.2.2"}], "source": {"advisory": "GHSA-phr3-mpx5-7826", "discovery": "UNKNOWN"}, "title": "Unauthenticated SQL injection in Ampache", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15153", "STATE": "PUBLIC", "TITLE": "Unauthenticated SQL injection in Ampache"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ampache", "version": {"version_data": [{"version_value": "< 4.2.2"}]}}]}, "vendor_name": "ampache"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection. Refer to the referenced GitHub Security Advisory for details and a workaround. This is fixed in version 4.2.2 and the development branch."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-89\":\"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ampache/ampache/security/advisories/GHSA-phr3-mpx5-7826", "refsource": "CONFIRM", "url": "https://github.com/ampache/ampache/security/advisories/GHSA-phr3-mpx5-7826"}, {"name": "https://github.com/ampache/ampache/commit/e92cb6154c32c513b9c07e5fdbf5ac7de81ef5ed", "refsource": "MISC", "url": "https://github.com/ampache/ampache/commit/e92cb6154c32c513b9c07e5fdbf5ac7de81ef5ed"}, {"name": "https://github.com/ampache/ampache/releases/tag/4.2.2", "refsource": "MISC", "url": "https://github.com/ampache/ampache/releases/tag/4.2.2"}]}, "source": {"advisory": "GHSA-phr3-mpx5-7826", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:22.314Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ampache/ampache/security/advisories/GHSA-phr3-mpx5-7826"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ampache/ampache/commit/e92cb6154c32c513b9c07e5fdbf5ac7de81ef5ed"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ampache/ampache/releases/tag/4.2.2"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15153", "datePublished": "2021-04-30T15:20:16.000Z", "dateReserved": "2020-06-25T00:00:00.000Z", "dateUpdated": "2024-08-04T13:08:22.314Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ampache:ampache:*:*:*:*:*:*:*:*", "matchCriteriaId": "2058E2E3-F6DC-4174-A612-B0038C9EFB11", "versionEndExcluding": "4.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Ampache before version 4.2.2 allows unauthenticated users to perform SQL injection. Refer to the referenced GitHub Security Advisory for details and a workaround. This is fixed in version 4.2.2 and the development branch."}, {"lang": "es", "value": "Ampache versiones anteriores a 4.2.2, permite a usuarios no autenticados llevar a cabo una inyecci\u00f3n SQL. Consulte el Aviso de seguridad de GitHub al que se hace referencia para obtener detalles y una soluci\u00f3n alternativa. Esto es corregido en versi\u00f3n 4.2.2 y en la rama de desarrollo."}], "id": "CVE-2020-15153", "lastModified": "2024-11-21T05:04:57.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-30T16:15:07.447", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ampache/ampache/commit/e92cb6154c32c513b9c07e5fdbf5ac7de81ef5ed"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/ampache/ampache/releases/tag/4.2.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/ampache/ampache/security/advisories/GHSA-phr3-mpx5-7826"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ampache/ampache/commit/e92cb6154c32c513b9c07e5fdbf5ac7de81ef5ed"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/ampache/ampache/releases/tag/4.2.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/ampache/ampache/security/advisories/GHSA-phr3-mpx5-7826"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}