CVE-2020-8968 - OpenCVE

Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clear text format by uploading a previously stored cyphered file by Parallels RAS. The confidentiality, availability and integrity of the information of the user could be compromised if an attacker is able to recover the profile password.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Parallels	Remote Application Server

Configuration 1 [-]

cpe:2.3:a:parallels:remote_application_server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/parallels-remote-application-server-credentials-management-errors

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2021-12-17T16:10:37.247061Z

Updated: 2024-09-17T01:02:06.573Z

Reserved: 2020-02-13T00:00:00

Link: CVE-2020-8968

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-12-17T17:15:10.663

Modified: 2023-11-20T10:15:20.693

Link: CVE-2020-8968

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Parallels Remote Application Server (Client)", "vendor": "Parallels", "versions": [{"lessThanOrEqual": "17", "status": "affected", "version": "15.5", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Francisco Palma, Diego Le\u00f3n and David Jim\u00e9nez"}], "datePublic": "2021-12-16T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clear text format by uploading a previously stored cyphered file by Parallels RAS. The confidentiality, availability and integrity of the information of the user could be compromised if an attacker is able to recover the profile password."}], "value": "Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clear text format by uploading a previously stored cyphered file by Parallels RAS. The confidentiality, availability and integrity of the information of the user could be compromised if an attacker is able to recover the profile password."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-255", "description": "CWE-255 Credentials Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-11-20T10:04:24.068Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/parallels-remote-application-server-credentials-management-errors"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Parallels periodically publish the fixes and note patches in their knowledge base."}], "value": "Parallels periodically publish the fixes and note patches in their knowledge base."}], "source": {"advisory": "INCIBE-2021-0512", "discovery": "EXTERNAL"}, "title": "Parallels Remote Application Server credentials management errors", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-coordination@incibe.es", "DATE_PUBLIC": "2021-12-17T09:00:00.000Z", "ID": "CVE-2020-8968", "STATE": "PUBLIC", "TITLE": "Parallels Remote Application Server credentials management errors"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Parallels Remote Application Server (Client)", "version": {"version_data": [{"version_affected": ">=", "version_name": "15.5", "version_value": "15.5"}, {"version_affected": "<=", "version_name": "17", "version_value": "17"}]}}]}, "vendor_name": "Parallels"}]}}, "credit": [{"lang": "eng", "value": "Francisco Palma, Diego Le\u00f3n and David Jim\u00e9nez"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clear text format by uploading a previously stored cyphered file by Parallels RAS. The confidentiality, availability and integrity of the information of the user could be compromised if an attacker is able to recover the profile password."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-255 Credentials Management"}]}]}, "references": {"reference_data": [{"name": "https://www.incibe-cert.es/en/early-warning/security-advisories/parallels-remote-application-server-credentials-management-errors", "refsource": "CONFIRM", "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/parallels-remote-application-server-credentials-management-errors"}]}, "solution": [{"lang": "en", "value": "Parallels periodically publish the fixes and note patches in their knowledge base."}], "source": {"advisory": "INCIBE-2021-0512", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:19:19.490Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/parallels-remote-application-server-credentials-management-errors"}]}]}, "cveMetadata": {"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "assignerShortName": "INCIBE", "cveId": "CVE-2020-8968", "datePublished": "2021-12-17T16:10:37.247061Z", "dateReserved": "2020-02-13T00:00:00", "dateUpdated": "2024-09-17T01:02:06.573Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parallels:remote_application_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "560DD192-9770-4FBC-AFCF-3C51F717CE51", "versionEndIncluding": "17.0", "versionStartIncluding": "15.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Parallels Remote Application Server (RAS) allows a local attacker to retrieve certain profile password in clear text format by uploading a previously stored cyphered file by Parallels RAS. The confidentiality, availability and integrity of the information of the user could be compromised if an attacker is able to recover the profile password."}, {"lang": "es", "value": "Parallels Remote Application Server (RAS) permite a un atacante local recuperar determinadas contrase\u00f1as de perfil en formato de texto sin cifrar al cargar un archivo cifrado previamente almacenado por Parallels RAS. La confidencialidad, disponibilidad e integridad de la informaci\u00f3n del usuario podr\u00eda estar comprometida si un atacante es capaz de recuperar la contrase\u00f1a del perfil"}], "id": "CVE-2020-8968", "lastModified": "2023-11-20T10:15:20.693", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2021-12-17T17:15:10.663", "references": [{"source": "cve-coordination@incibe.es", "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/parallels-remote-application-server-credentials-management-errors"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-255"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}