CVE-2020-29041 - OpenCVE

A misconfiguration in Web-Sesame 2020.1.1.3375 allows an unauthenticated attacker to download the source code of the application, facilitating its comprehension (code review). Specifically, JavaScript source maps were inadvertently included in the production Webpack configuration. These maps contain sources used to generate the bundle, configuration settings (e.g., API keys), and developers' comments.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sesame-system	Web-sesame

Configuration 1 [-]

cpe:2.3:a:sesame-system:web-sesame:2020.1.1.3375:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://blog.bssi.fr/source-code-vulnerability-disclosure-discovered-in-the-web-sesame-application-of-til-technologies/
https://blog.bssi.fr/vulnerabilite-de-divulgation-de-code-source-identifiee-au-sein-de-lapplication-web-sesame-de-til-technologies/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-01-06T20:52:14

Updated: 2024-08-04T16:48:01.347Z

Reserved: 2020-11-24T00:00:00

Link: CVE-2020-29041

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-01-06T21:15:14.253

Modified: 2021-01-13T19:22:08.880

Link: CVE-2020-29041

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A misconfiguration in Web-Sesame 2020.1.1.3375 allows an unauthenticated attacker to download the source code of the application, facilitating its comprehension (code review). Specifically, JavaScript source maps were inadvertently included in the production Webpack configuration. These maps contain sources used to generate the bundle, configuration settings (e.g., API keys), and developers' comments."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-06T20:52:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.bssi.fr/source-code-vulnerability-disclosure-discovered-in-the-web-sesame-application-of-til-technologies/"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.bssi.fr/vulnerabilite-de-divulgation-de-code-source-identifiee-au-sein-de-lapplication-web-sesame-de-til-technologies/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-29041", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A misconfiguration in Web-Sesame 2020.1.1.3375 allows an unauthenticated attacker to download the source code of the application, facilitating its comprehension (code review). Specifically, JavaScript source maps were inadvertently included in the production Webpack configuration. These maps contain sources used to generate the bundle, configuration settings (e.g., API keys), and developers' comments."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blog.bssi.fr/source-code-vulnerability-disclosure-discovered-in-the-web-sesame-application-of-til-technologies/", "refsource": "MISC", "url": "https://blog.bssi.fr/source-code-vulnerability-disclosure-discovered-in-the-web-sesame-application-of-til-technologies/"}, {"name": "https://blog.bssi.fr/vulnerabilite-de-divulgation-de-code-source-identifiee-au-sein-de-lapplication-web-sesame-de-til-technologies/", "refsource": "MISC", "url": "https://blog.bssi.fr/vulnerabilite-de-divulgation-de-code-source-identifiee-au-sein-de-lapplication-web-sesame-de-til-technologies/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:48:01.347Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.bssi.fr/source-code-vulnerability-disclosure-discovered-in-the-web-sesame-application-of-til-technologies/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.bssi.fr/vulnerabilite-de-divulgation-de-code-source-identifiee-au-sein-de-lapplication-web-sesame-de-til-technologies/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-29041", "datePublished": "2021-01-06T20:52:14", "dateReserved": "2020-11-24T00:00:00", "dateUpdated": "2024-08-04T16:48:01.347Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sesame-system:web-sesame:2020.1.1.3375:*:*:*:*:*:*:*", "matchCriteriaId": "F0E83B83-43D6-424A-8602-63F56676C1CB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A misconfiguration in Web-Sesame 2020.1.1.3375 allows an unauthenticated attacker to download the source code of the application, facilitating its comprehension (code review). Specifically, JavaScript source maps were inadvertently included in the production Webpack configuration. These maps contain sources used to generate the bundle, configuration settings (e.g., API keys), and developers' comments."}, {"lang": "es", "value": "Una configuraci\u00f3n inapropiada en Web-Sesame versi\u00f3n 2020.1.1.3375, permite a un atacante no autenticado descargar el c\u00f3digo fuente de la aplicaci\u00f3n, facilitando su comprensi\u00f3n (revisi\u00f3n de c\u00f3digo). Espec\u00edficamente, los mapas de c\u00f3digo fuente de JavaScript fueron incluidos inadvertidamente en la configuraci\u00f3n del Webpack de producci\u00f3n. Estos mapas contienen fuentes utilizadas para generar el paquete, ajustes de configuraci\u00f3n (por ejemplo, claves de API) y comentarios de los desarrolladores"}], "id": "CVE-2020-29041", "lastModified": "2021-01-13T19:22:08.880", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-06T21:15:14.253", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.bssi.fr/source-code-vulnerability-disclosure-discovered-in-the-web-sesame-application-of-til-technologies/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.bssi.fr/vulnerabilite-de-divulgation-de-code-source-identifiee-au-sein-de-lapplication-web-sesame-de-til-technologies/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}