Lucene search

[email protected]CVE-2020-10590

HistoryJul 30, 2021 - 2:15 p.m.

CVE-2020-10590

2021-07-3014:15:12

[email protected]

web.nvd.nist.gov

cve-2020-10590

replicated classic

security vulnerability

api

sensitive data

nvd

tls keypair

network security

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.9%

JSON

Replicated Classic 2.x versions have an improperly secured API that exposes sensitive data from the Replicated Admin Console configuration. An attacker with network access to the Admin Console port (8800) on the Replicated Classic server could retrieve the TLS Keypair (Cert and Key) used to configure the Admin Console.

Affected configurations

NVD

Node

replicatedreplicated_classicRange2.10.0–2.32.3

replicatedreplicated_classicRange2.33.0–2.36.0

replicatedreplicated_classicRange2.37.0–2.37.1

replicatedreplicated_classicRange2.38.0–2.38.5

replicatedreplicated_classicRange2.39.0–2.39.3

replicatedreplicated_classicRange2.40.0–2.40.3

replicatedreplicated_classicRange2.42.0–2.42.3

replicatedreplicated_classicMatch2.41.0

CPENameOperatorVersion
replicated:replicated_classicreplicated replicated classicle2.32.3
replicated:replicated_classicreplicated replicated classicle2.36.0
replicated:replicated_classicreplicated replicated classicle2.37.1
replicated:replicated_classicreplicated replicated classicle2.38.5
replicated:replicated_classicreplicated replicated classicle2.39.3
replicated:replicated_classicreplicated replicated classicle2.40.3
replicated:replicated_classicreplicated replicated classicle2.42.3
replicated:replicated_classicreplicated replicated classiceq2.41.0

CPE	Name	Operator	Version
replicated:replicated_classic	replicated replicated classic	le	2.32.3
replicated:replicated_classic	replicated replicated classic	le	2.36.0
replicated:replicated_classic	replicated replicated classic	le	2.37.1
replicated:replicated_classic	replicated replicated classic	le	2.38.5
replicated:replicated_classic	replicated replicated classic	le	2.39.3
replicated:replicated_classic	replicated replicated classic	le	2.40.3
replicated:replicated_classic	replicated replicated classic	le	2.42.3
replicated:replicated_classic	replicated replicated classic	eq	2.41.0

References

blog.replicated.com

gradle.com/enterprise/releases/2019.5/#changes

www.replicated.com/security/advisories/CVE-2020-10590

Social References

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.9%

JSON

Related for CVE-2020-10590

nvd1 prion1 cvelist1