CVE-2020-7038 - Vulnerability Details - OpenCVE

Description

A vulnerability was discovered in Management component of Avaya Equinox Conferencing that could potentially allow an unauthenticated, remote attacker to gain access to screen sharing and whiteboard sessions. The affected versions of Management component of Avaya Equinox Conferencing include all 3.x versions before 3.17. Avaya Equinox Conferencing is now offered as Avaya Meetings Server.

Published: 2021-04-28

Score: 7.5 High

EPSS: 1.8% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Avaya

Avaya Meetings Management

affected

Version	Status	Constraints
`3.x`	affected	< 3.17

Configuration 1 [-]

cpe:2.3:a:avaya:equinox_conferencing:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2020-28172	A vulnerability was discovered in Management component of Avaya Equinox Conferencing that could potentially allow an unauthenticated, remote attacker to gain access to screen sharing and whiteboard sessions. The affected versions of Management component of Avaya Equinox Conferencing include all 3.x versions before 3.17. Avaya Equinox Conferencing is now offered as Avaya Meetings Server.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.01808.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://support.avaya.com/css/P8/documents/101075574

History

No history.

Subscriptions

Avaya Equinox Conferencing

MITRE

Status: PUBLISHED

Assigner: avaya

Published: 2021-04-28T21:30:21.281Z

Updated: 2024-09-16T21:04:25.962Z

Reserved: 2020-01-14T00:00:00.000Z

Link: CVE-2020-7038

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-04-28T22:15:08.290

Modified: 2024-11-21T05:36:31.893

Link: CVE-2020-7038

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"containers": {"cna": {"affected": [{"product": "Avaya Meetings Management", "vendor": "Avaya", "versions": [{"lessThan": "3.17", "status": "affected", "version": "3.x", "versionType": "custom"}]}], "datePublic": "2021-04-28T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in Management component of Avaya Equinox Conferencing that could potentially allow an unauthenticated, remote attacker to gain access to screen sharing and whiteboard sessions. The affected versions of Management component of Avaya Equinox Conferencing include all 3.x versions before 3.17. Avaya Equinox Conferencing is now offered as Avaya Meetings Server."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control\nCWE-200: Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-28T21:30:21.000Z", "orgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "shortName": "avaya"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://support.avaya.com/css/P8/documents/101075574"}], "source": {"advisory": "ASA-2021-036"}, "title": "Avaya Meetings Server Information Disclosure vulnerability", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "securityalerts@avaya.com", "DATE_PUBLIC": "2021-04-28T06:00:00.000Z", "ID": "CVE-2020-7038", "STATE": "PUBLIC", "TITLE": "Avaya Meetings Server Information Disclosure vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Avaya Meetings Management", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "3.x", "version_value": "3.17"}]}}]}, "vendor_name": "Avaya"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability was discovered in Management component of Avaya Equinox Conferencing that could potentially allow an unauthenticated, remote attacker to gain access to screen sharing and whiteboard sessions. The affected versions of Management component of Avaya Equinox Conferencing include all 3.x versions before 3.17. Avaya Equinox Conferencing is now offered as Avaya Meetings Server."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284: Improper Access Control\nCWE-200: Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://support.avaya.com/css/P8/documents/101075574", "refsource": "CONFIRM", "url": "https://support.avaya.com/css/P8/documents/101075574"}]}, "source": {"advisory": "ASA-2021-036"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:18:02.671Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.avaya.com/css/P8/documents/101075574"}]}]}, "cveMetadata": {"assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "assignerShortName": "avaya", "cveId": "CVE-2020-7038", "datePublished": "2021-04-28T21:30:21.281Z", "dateReserved": "2020-01-14T00:00:00.000Z", "dateUpdated": "2024-09-16T21:04:25.962Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avaya:equinox_conferencing:*:*:*:*:*:*:*:*", "matchCriteriaId": "C123C83E-6FEB-482D-9ADB-21B4248F7977", "versionEndExcluding": "9.1.11", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in Management component of Avaya Equinox Conferencing that could potentially allow an unauthenticated, remote attacker to gain access to screen sharing and whiteboard sessions. The affected versions of Management component of Avaya Equinox Conferencing include all 3.x versions before 3.17. Avaya Equinox Conferencing is now offered as Avaya Meetings Server."}, {"lang": "es", "value": "Se detect\u00f3 una vulnerabilidad en el componente Management de Avaya Equinox Conferencing que podr\u00eda permitir a un atacante remoto no autenticado conseguir acceso a las sesiones de pantalla compartida y de pizarra. Las versiones afectadas del componente Management de Avaya Equinox Conferencing incluyen todas las versiones 3.x anteriores a la 3.17. Avaya Equinox Conferencing ahora se ofrece como Avaya Meetings Server"}], "id": "CVE-2020-7038", "lastModified": "2024-11-21T05:36:31.893", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "securityalerts@avaya.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-28T22:15:08.290", "references": [{"source": "securityalerts@avaya.com", "tags": ["Vendor Advisory"], "url": "https://support.avaya.com/css/P8/documents/101075574"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.avaya.com/css/P8/documents/101075574"}], "sourceIdentifier": "securityalerts@avaya.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "securityalerts@avaya.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}