Lucene search

[email protected]CVE-2020-3984

HistoryNov 24, 2020 - 4:15 p.m.

CVE-2020-3984

2020-11-2416:15:00

CWE-89

[email protected]

web.nvd.nist.gov

cve-2020-3984

sd-wan orchestrator

sql-injection

input validation

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

9.3 High

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

25.8%

JSON

The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3 and 3.4.x prior to 3.4.4 does not apply correct input validation which allows for SQL-injection. An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call using specially crafted SQL queries which may lead to unauthorized data access.

CPENameOperatorVersion
vmware:sd-wan_orchestratorvmware sd-wan orchestratorlt3.4.4
vmware:sd-wan_orchestratorvmware sd-wan orchestratoreq3.3.2

CPE	Name	Operator	Version
vmware:sd-wan_orchestrator	vmware sd-wan orchestrator	lt	3.4.4
vmware:sd-wan_orchestrator	vmware sd-wan orchestrator	eq	3.3.2

References

www.vmware.com/security/advisories/VMSA-2020-0025.html

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

9.3 High

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

25.8%

JSON

Related for CVE-2020-3984

prion1 vmware1