Lucene search

GoogleOSV:CVE-2020-13694

HistoryJun 01, 2020 - 4:15 p.m.

CVE-2020-13694

2020-06-0116:15:14

Google

osv.dev

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.012 Low

EPSS

Percentile

84.9%

JSON

In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the mysql -e option.

CPENameOperatorVersion
qbeq2.5.0
qbeq2.5.3
qbeq2.5.4
qbeq2.5.1
qbeq2.5.2
qbeq2.5.5
qbeq2.4.9

Name	Operator	Version
qb	eq	2.5.0
qb	eq	2.5.3
qb	eq	2.5.4
qb	eq	2.5.1
qb	eq	2.5.2
qb	eq	2.5.5
qb	eq	2.4.9

References

s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.012 Low

EPSS

Percentile

84.9%

JSON

Related for OSV:CVE-2020-13694