CVE-2020-12145 (GCVE-0-2020-12145)
Vulnerability from cvelistv5
Published
2020-11-05 18:48
Modified
2024-09-16 17:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CVE-2020-12145
- CWE-287 - Improper Authentication
Summary
Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted by customers –on-premise or in a public cloud provider –are affected by this vulnerability.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Silver Peak Systems, Inc. | Unity Orchestrator |
Version: All versions affected prior to Silver Peak Unity Orchestrator 8.9.11+ Version: 8.10.11+ Version: or 9.0.1+. |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:58.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.silver-peak.com/support/user-documentation/security-advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Unity Orchestrator",
"vendor": "Silver Peak Systems, Inc.",
"versions": [
{
"status": "affected",
"version": "All versions affected prior to Silver Peak Unity Orchestrator 8.9.11+"
},
{
"status": "affected",
"version": "8.10.11+"
},
{
"status": "affected",
"version": "or 9.0.1+."
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability was reported to Silver Peak by the security team at Realmode Labs."
}
],
"datePublic": "2020-10-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted by customers \u2013on-premise or in a public cloud provider \u2013are affected by this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CVE-2020-12145",
"lang": "en",
"type": "text"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-05T18:48:31.000Z",
"orgId": "83cc1b1a-46b0-4ac1-94f2-bbef3319bc4c",
"shortName": "Silver Peak"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.silver-peak.com/support/user-documentation/security-advisories"
}
],
"solutions": [
{
"lang": "en",
"value": "Recommended Actions for Silver Peak Customers: Upgrade to Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+."
}
],
"source": {
"advisory": "Security Advisory 2020-10-31-01-001",
"discovery": "EXTERNAL"
},
"title": "Silver Peak Unity OrchestratorTM authentication can be subverted through manipulation of HTTP headers.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "sirt@silver-peak.com",
"DATE_PUBLIC": "2020-10-31T16:00:00.000Z",
"ID": "CVE-2020-12145",
"STATE": "PUBLIC",
"TITLE": "Silver Peak Unity OrchestratorTM authentication can be subverted through manipulation of HTTP headers."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Unity Orchestrator",
"version": {
"version_data": [
{
"version_value": "All versions affected prior to Silver Peak Unity Orchestrator 8.9.11+"
},
{
"version_value": "8.10.11+"
},
{
"version_value": "or 9.0.1+."
}
]
}
}
]
},
"vendor_name": "Silver Peak Systems, Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability was reported to Silver Peak by the security team at Realmode Labs."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted by customers \u2013on-premise or in a public cloud provider \u2013are affected by this vulnerability."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CVE-2020-12145"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.silver-peak.com/support/user-documentation/security-advisories",
"refsource": "MISC",
"url": "https://www.silver-peak.com/support/user-documentation/security-advisories"
}
]
},
"solution": [
{
"lang": "en",
"value": "Recommended Actions for Silver Peak Customers: Upgrade to Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+."
}
],
"source": {
"advisory": "Security Advisory 2020-10-31-01-001",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "83cc1b1a-46b0-4ac1-94f2-bbef3319bc4c",
"assignerShortName": "Silver Peak",
"cveId": "CVE-2020-12145",
"datePublished": "2020-11-05T18:48:31.021Z",
"dateReserved": "2020-04-24T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:07:58.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…