CVE-2020-15235 - OpenCVE

In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. All versions after commit f3dc89b9f6ab1544a289b3efc06699b13d63e0bd(3/10/20) are patched.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ractf	Core

Configuration 1 [-]

cpe:2.3:a:ractf:core:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/ractf/core/commit/f3dc89b9f6ab1544a289b3efc06699b13d63e0bd
https://github.com/ractf/core/security/advisories/GHSA-ph67-c355-52vm

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-10-05T15:15:13

Updated: 2024-08-04T13:08:23.234Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15235

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-10-05T16:15:12.237

Modified: 2020-10-19T18:53:09.600

Link: CVE-2020-15235

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "core", "vendor": "ractf", "versions": [{"status": "affected", "version": "< f3dc89b"}]}], "descriptions": [{"lang": "en", "value": "In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. All versions after commit f3dc89b9f6ab1544a289b3efc06699b13d63e0bd(3/10/20) are patched."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-05T15:15:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ractf/core/security/advisories/GHSA-ph67-c355-52vm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ractf/core/commit/f3dc89b9f6ab1544a289b3efc06699b13d63e0bd"}], "source": {"advisory": "GHSA-ph67-c355-52vm", "discovery": "UNKNOWN"}, "title": "Sensitive data exposure in RACTF", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15235", "STATE": "PUBLIC", "TITLE": "Sensitive data exposure in RACTF"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "core", "version": {"version_data": [{"version_value": "< f3dc89b"}]}}]}, "vendor_name": "ractf"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. All versions after commit f3dc89b9f6ab1544a289b3efc06699b13d63e0bd(3/10/20) are patched."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ractf/core/security/advisories/GHSA-ph67-c355-52vm", "refsource": "CONFIRM", "url": "https://github.com/ractf/core/security/advisories/GHSA-ph67-c355-52vm"}, {"name": "https://github.com/ractf/core/commit/f3dc89b9f6ab1544a289b3efc06699b13d63e0bd", "refsource": "MISC", "url": "https://github.com/ractf/core/commit/f3dc89b9f6ab1544a289b3efc06699b13d63e0bd"}]}, "source": {"advisory": "GHSA-ph67-c355-52vm", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:23.234Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ractf/core/security/advisories/GHSA-ph67-c355-52vm"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ractf/core/commit/f3dc89b9f6ab1544a289b3efc06699b13d63e0bd"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15235", "datePublished": "2020-10-05T15:15:13", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:23.234Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ractf:core:*:*:*:*:*:*:*:*", "matchCriteriaId": "89D2540B-5B14-4984-B6F1-D43546474CEA", "versionEndIncluding": "41edf92", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. All versions after commit f3dc89b9f6ab1544a289b3efc06699b13d63e0bd(3/10/20) are patched."}, {"lang": "es", "value": "En RACTF versiones anteriores al commit f3dc89b, los usuarios no autenticados pueden ser capaces de obtener el valor de las claves de configuraci\u00f3n confidenciales que normalmente estar\u00edan ocultas para todos excepto para los administradores. Todas las versiones posteriores a la confirmaci\u00f3n f3dc89b9f6ab1544a289b3efc06699b13d63e0bd (10/3/20) est\u00e1n parcheadas"}], "id": "CVE-2020-15235", "lastModified": "2020-10-19T18:53:09.600", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-10-05T16:15:12.237", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/ractf/core/commit/f3dc89b9f6ab1544a289b3efc06699b13d63e0bd"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ractf/core/security/advisories/GHSA-ph67-c355-52vm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}