CVE-2020-26207 - OpenCVE

DatabaseSchemaViewer before version 2.7.4.3 is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted `.dbschema` file. The patch was released in v2.7.4.3. As a workaround, ensure `.dbschema` files from untrusted sources are not opened.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Databaseschemareader Project	Dbschemareader

Configuration 1 [-]

cpe:2.3:a:databaseschemareader_project:dbschemareader:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/martinjw/dbschemareader/commit/4c0ab7b1fd8c4e3140f9fd54d303f107a9c8d994
https://github.com/martinjw/dbschemareader/releases/tag/2.7.4.3
https://github.com/martinjw/dbschemareader/security/advisories/GHSA-rfjh-m356-mpqf

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-11-04T22:00:17

Updated: 2024-08-04T15:49:07.140Z

Reserved: 2020-10-01T00:00:00

Link: CVE-2020-26207

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-04T22:15:12.320

Modified: 2020-11-19T16:49:38.357

Link: CVE-2020-26207

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "dbschemareader", "vendor": "martinjw", "versions": [{"status": "affected", "version": "< 2.7.4.3"}]}], "descriptions": [{"lang": "en", "value": "DatabaseSchemaViewer before version 2.7.4.3 is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted `.dbschema` file. The patch was released in v2.7.4.3. As a workaround, ensure `.dbschema` files from untrusted sources are not opened."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-04T22:00:17", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/martinjw/dbschemareader/security/advisories/GHSA-rfjh-m356-mpqf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/martinjw/dbschemareader/commit/4c0ab7b1fd8c4e3140f9fd54d303f107a9c8d994"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/martinjw/dbschemareader/releases/tag/2.7.4.3"}], "source": {"advisory": "GHSA-rfjh-m356-mpqf", "discovery": "UNKNOWN"}, "title": "Unsafe deserialization in DatabaseSchemaViewer", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26207", "STATE": "PUBLIC", "TITLE": "Unsafe deserialization in DatabaseSchemaViewer"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "dbschemareader", "version": {"version_data": [{"version_value": "< 2.7.4.3"}]}}]}, "vendor_name": "martinjw"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "DatabaseSchemaViewer before version 2.7.4.3 is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted `.dbschema` file. The patch was released in v2.7.4.3. As a workaround, ensure `.dbschema` files from untrusted sources are not opened."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://github.com/martinjw/dbschemareader/security/advisories/GHSA-rfjh-m356-mpqf", "refsource": "CONFIRM", "url": "https://github.com/martinjw/dbschemareader/security/advisories/GHSA-rfjh-m356-mpqf"}, {"name": "https://github.com/martinjw/dbschemareader/commit/4c0ab7b1fd8c4e3140f9fd54d303f107a9c8d994", "refsource": "MISC", "url": "https://github.com/martinjw/dbschemareader/commit/4c0ab7b1fd8c4e3140f9fd54d303f107a9c8d994"}, {"name": "https://github.com/martinjw/dbschemareader/releases/tag/2.7.4.3", "refsource": "MISC", "url": "https://github.com/martinjw/dbschemareader/releases/tag/2.7.4.3"}]}, "source": {"advisory": "GHSA-rfjh-m356-mpqf", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:49:07.140Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/martinjw/dbschemareader/security/advisories/GHSA-rfjh-m356-mpqf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/martinjw/dbschemareader/commit/4c0ab7b1fd8c4e3140f9fd54d303f107a9c8d994"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/martinjw/dbschemareader/releases/tag/2.7.4.3"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26207", "datePublished": "2020-11-04T22:00:17", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:49:07.140Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:databaseschemareader_project:dbschemareader:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2B945CB-8395-4C6B-B267-7FD79CF8CE05", "versionEndExcluding": "2.7.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DatabaseSchemaViewer before version 2.7.4.3 is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted `.dbschema` file. The patch was released in v2.7.4.3. As a workaround, ensure `.dbschema` files from untrusted sources are not opened."}, {"lang": "es", "value": "DatabaseSchemaViewer versiones anteriores a 2.7.4.3, es vulnerable a una ejecuci\u00f3n de c\u00f3digo arbitraria si un usuario es enga\u00f1ado para que abra un archivo \".dbschema\" especialmente dise\u00f1ado. El parche fue publicado en la versi\u00f3n v2.7.4.3. Como soluci\u00f3n temporal, aseg\u00farese que los archivos \".dbschema\" de fuentes no confiables no est\u00e9n abiertos"}], "id": "CVE-2020-26207", "lastModified": "2020-11-19T16:49:38.357", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-11-04T22:15:12.320", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/martinjw/dbschemareader/commit/4c0ab7b1fd8c4e3140f9fd54d303f107a9c8d994"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/martinjw/dbschemareader/releases/tag/2.7.4.3"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/martinjw/dbschemareader/security/advisories/GHSA-rfjh-m356-mpqf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}