Lucene search

[email protected]CVE-2020-13656

HistoryJun 12, 2020 - 11:15 p.m.

CVE-2020-13656

2020-06-1223:15:10

CWE-787

CWE-125

[email protected]

web.nvd.nist.gov

cve-2020-13656

morgan stanley

hobbes

bounds checking

oob

vulnerability

code execution

rpc

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.6%

JSON

In Morgan Stanley Hobbes through 2020-05-21, the array implementation lacks bounds checking, allowing exploitation of an out-of-bounds (OOB) read/write vulnerability that leads to both local and remote code (via RPC) execution.

Affected configurations

NVD

Node

morganstanleyhobbesRange≤2020-05-21

CPENameOperatorVersion
morganstanley:hobbesmorganstanley hobbesle2020-05-21

CPE	Name	Operator	Version
morganstanley:hobbes	morganstanley hobbes	le	2020-05-21

References

know.bishopfox.com/advisories/oob-to-rce-exploitation-of-the-hobbes-functional-interpreter

Social References

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.6%

JSON

Related for CVE-2020-13656

nvd1 cvelist1 prion1