CVE-2020-29668 Information

Jun 07, 2022 cve

Description

Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://github.com/sympa-community/sympa/blob/6.2.59b.2/NEWS.md https://github.com/sympa-community/sympa/issues/1041 https://github.com/sympa-community/sympa/pull/1044 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020 https://lists.debian.org/debian-lts-announce/2020/12/msg00026.html https://www.debian.org/security/2020/dsa-4818 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JICIHAJKKCZXJNIICUDYXGZFQCN6J4U6/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFZWDEKQFW3EH665OECDWIWM2MI7T53Y/

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

3.7

Share on: