CVE-2020-5846 - OpenCVE

An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.3.0.30 via a "PUT /obs/obm7/file/upload" request with the base64-encoded pathname in the X-RSW-custom-encode-path HTTP header, and the content in the HTTP request body. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full system access as the configured user (e.g., Administrator) when starting from any authenticated session (e.g., a trial account). This is fixed in the 83/830122/cbs-*-hotfix-task26000 builds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ahsay	Cloud Backup Suite

Configuration 1 [-]

cpe:2.3:a:ahsay:cloud_backup_suite:8.3.0.30:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.wbsec.nl/ahsay-2/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-01-06T20:11:38

Updated: 2024-08-04T08:39:25.930Z

Reserved: 2020-01-06T00:00:00

Link: CVE-2020-5846

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-01-06T21:15:11.737

Modified: 2020-01-17T15:04:30.480

Link: CVE-2020-5846

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.3.0.30 via a \"PUT /obs/obm7/file/upload\" request with the base64-encoded pathname in the X-RSW-custom-encode-path HTTP header, and the content in the HTTP request body. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full system access as the configured user (e.g., Administrator) when starting from any authenticated session (e.g., a trial account). This is fixed in the 83/830122/cbs-*-hotfix-task26000 builds."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-06T20:11:38", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.wbsec.nl/ahsay-2/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-5846", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.3.0.30 via a \"PUT /obs/obm7/file/upload\" request with the base64-encoded pathname in the X-RSW-custom-encode-path HTTP header, and the content in the HTTP request body. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full system access as the configured user (e.g., Administrator) when starting from any authenticated session (e.g., a trial account). This is fixed in the 83/830122/cbs-*-hotfix-task26000 builds."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.wbsec.nl/ahsay-2/", "refsource": "MISC", "url": "https://www.wbsec.nl/ahsay-2/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:39:25.930Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.wbsec.nl/ahsay-2/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-5846", "datePublished": "2020-01-06T20:11:38", "dateReserved": "2020-01-06T00:00:00", "dateUpdated": "2024-08-04T08:39:25.930Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ahsay:cloud_backup_suite:8.3.0.30:*:*:*:*:*:*:*", "matchCriteriaId": "726409AA-FFFC-4757-9DFD-CE88A107E2FE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.3.0.30 via a \"PUT /obs/obm7/file/upload\" request with the base64-encoded pathname in the X-RSW-custom-encode-path HTTP header, and the content in the HTTP request body. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full system access as the configured user (e.g., Administrator) when starting from any authenticated session (e.g., a trial account). This is fixed in the 83/830122/cbs-*-hotfix-task26000 builds."}, {"lang": "es", "value": "Se descubri\u00f3 un problema de carga de archivo no seguro y ejecuci\u00f3n de c\u00f3digo en Ahsay Cloud Backup Suite versi\u00f3n 8.3.0.30 por medio de una petici\u00f3n \"PUT /obs/obm7/file/upload\" con el nombre de ruta codificado en base64 en el encabezado HTTP X-RSW-custom-encode-path y el contenido en el cuerpo de la petici\u00f3n HTTP. Es posible cargar un archivo en cualquier directorio del servidor. Puede ser insertado un shell JSP en el directorio del servidor web y ejecutarlo. Esto conlleva a un acceso completo al sistema como usuario configurado (por ejemplo, Administrador) cuando es iniciado desde cualquier sesi\u00f3n autenticada (por ejemplo, una cuenta de prueba). Esto es corregido en las compilaciones 83/830122 / cbs-*-hotfix-task26000."}], "id": "CVE-2020-5846", "lastModified": "2020-01-17T15:04:30.480", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-06T21:15:11.737", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.wbsec.nl/ahsay-2/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}