CVE-2020-5292 - OpenCVE

Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and administrators' password hashes, modify data, or drop tables. The unescaped parameter is "searchUsers" when sending a POST request to "/tickets/showKanban" with a valid session. In the code, the parameter is named "users" in class.tickets.php. This issue is fixed in versions 2.0.15 and 2.1.0 beta 3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Leantime	Leantime

Configuration 1 [-]

cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/Leantime/leantime/commit/af0807f0b2c4c3c914b93f1c5d940e6b875f231f
https://github.com/Leantime/leantime/pull/181
https://github.com/Leantime/leantime/security/advisories/GHSA-ww6x-rhvp-55hp

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-03-31T18:15:15

Updated: 2024-08-04T08:22:09.190Z

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5292

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-03-31T19:15:14.383

Modified: 2020-04-02T17:18:54.670

Link: CVE-2020-5292

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Leantime", "vendor": "Leantime", "versions": [{"status": "affected", "version": "< 2.0.15"}]}], "descriptions": [{"lang": "en", "value": "Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and administrators' password hashes, modify data, or drop tables. The unescaped parameter is \"searchUsers\" when sending a POST request to \"/tickets/showKanban\" with a valid session. In the code, the parameter is named \"users\" in class.tickets.php. This issue is fixed in versions 2.0.15 and 2.1.0 beta 3."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-31T18:15:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Leantime/leantime/security/advisories/GHSA-ww6x-rhvp-55hp"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Leantime/leantime/pull/181"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Leantime/leantime/commit/af0807f0b2c4c3c914b93f1c5d940e6b875f231f"}], "source": {"advisory": "GHSA-ww6x-rhvp-55hp", "discovery": "UNKNOWN"}, "title": "Time-based blind injection in Leantime", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5292", "STATE": "PUBLIC", "TITLE": "Time-based blind injection in Leantime"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Leantime", "version": {"version_data": [{"version_value": "< 2.0.15"}]}}]}, "vendor_name": "Leantime"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and administrators' password hashes, modify data, or drop tables. The unescaped parameter is \"searchUsers\" when sending a POST request to \"/tickets/showKanban\" with a valid session. In the code, the parameter is named \"users\" in class.tickets.php. This issue is fixed in versions 2.0.15 and 2.1.0 beta 3."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Leantime/leantime/security/advisories/GHSA-ww6x-rhvp-55hp", "refsource": "CONFIRM", "url": "https://github.com/Leantime/leantime/security/advisories/GHSA-ww6x-rhvp-55hp"}, {"name": "https://github.com/Leantime/leantime/pull/181", "refsource": "MISC", "url": "https://github.com/Leantime/leantime/pull/181"}, {"name": "https://github.com/Leantime/leantime/commit/af0807f0b2c4c3c914b93f1c5d940e6b875f231f", "refsource": "MISC", "url": "https://github.com/Leantime/leantime/commit/af0807f0b2c4c3c914b93f1c5d940e6b875f231f"}]}, "source": {"advisory": "GHSA-ww6x-rhvp-55hp", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.190Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Leantime/leantime/security/advisories/GHSA-ww6x-rhvp-55hp"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Leantime/leantime/pull/181"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Leantime/leantime/commit/af0807f0b2c4c3c914b93f1c5d940e6b875f231f"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5292", "datePublished": "2020-03-31T18:15:15", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:09.190Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:*", "matchCriteriaId": "53096955-4922-4DF7-862B-1023F1BFBF2B", "versionEndExcluding": "2.0.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and administrators' password hashes, modify data, or drop tables. The unescaped parameter is \"searchUsers\" when sending a POST request to \"/tickets/showKanban\" with a valid session. In the code, the parameter is named \"users\" in class.tickets.php. This issue is fixed in versions 2.0.15 and 2.1.0 beta 3."}, {"lang": "es", "value": "Leantime versiones anteriores a 2.0.15 y 2.1-beta3, presenta una vulnerabilidad de inyecci\u00f3n SQL. El impacto es alto. Los usuarios y atacantes maliciosos pueden ejecutar consultas SQL arbitrarias afectando negativamente la confidencialidad, integridad y disponibilidad del sitio. Los atacantes pueden filtrar datos como los hash de contrase\u00f1a de los usuarios y administradores, modificar datos o disminuir tablas. El par\u00e1metro no escapado es \"searchUsers\" cuando se env\u00eda una petici\u00f3n POST hacia \"/tickets/showKanban\" con una sesi\u00f3n v\u00e1lida. En el c\u00f3digo, el par\u00e1metro es nombrado \"users\" en el archivo class.tickets.php. Este problema es corregido en las versiones 2.0.15 y 2.1.0 beta 3."}], "id": "CVE-2020-5292", "lastModified": "2020-04-02T17:18:54.670", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-03-31T19:15:14.383", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Leantime/leantime/commit/af0807f0b2c4c3c914b93f1c5d940e6b875f231f"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Leantime/leantime/pull/181"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Leantime/leantime/security/advisories/GHSA-ww6x-rhvp-55hp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}