Lucene search

GitHub_MCVELIST:CVE-2020-5246

HistoryJul 14, 2020 - 8:42 p.m.

CVE-2020-5246 LDAP injection vulnerability in Traccar GPS Tracking System

2020-07-1420:42:10

CWE-90

GitHub_M

www.cve.org

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

0.0005 Low

EPSS

Percentile

17.8%

JSON

Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only impacts instances with LDAP configuration and where users can craft their own names. This has been patched in version 4.9.

CNA Affected

[
  {
    "product": "Traccar",
    "vendor": "Traccar",
    "versions": [
      {
        "status": "affected",
        "version": "< 4.9"
      }
    ]
  }
]

References

github.com/traccar/traccar/commit/e4f6e74e57ab743b65d49ae00f6624a20ca0291e

github.com/traccar/traccar/security/advisories/GHSA-v955-7g22-2p49

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

0.0005 Low

EPSS

Percentile

17.8%

JSON

Related for CVELIST:CVE-2020-5246