CVSS: 9.8EPSS: 97%CPEs: 13EXPL: 3CVE-2020-15505 – Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-15505
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors. Se presenta una vulnerabilidad de ejecución de código remoto en las versiones 10.3.0.3 y anteriores del MobileIron Core y Connector, versiones 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 y 10.6.0.0; y las versiones 9 del Sentry. 7.2 y anteriores, y versiones 9.8.0; y Monitor and Reporting Database (RDB) versión 2.0.0.1 y anteriores que permite a los atacantes remotos ejecutar código arbitrario a través de vectores no especificados Ivanti MobileIron's Core & Connector, Sentry, and Monitor and Reporting Database (RDB) products contain an unspecified vulnerability that allows for remote code execution. • http://packetstormsecurity.com/files/161097/MobileIron-MDM-Hessian-Based-Java-Deserialization-Remote-Code-Execution.html https://cwe.mitre.org/data/definitions/41.html https://perchsecurity.com/perch-news/cve-spotlight-mobileiron-rce-cve-2020-15505 https://www.mobileiron.com/en/blog/mobileiron-security-updates-available https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2020-15505 https://raw.githubusercontent.com/rapi • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-15506
https://notcve.org/view.php?id=CVE-2020-15506
An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to bypass authentication mechanisms via unspecified vectors. Una vulnerabilidad de omisión de autentificación en MobileIron Core y Connector versiones 10.3.0.3 y anteriores, versiones 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 y versión 10.6.0.0 permite a atacantes remotos omitir los mecanismos de autenticación por medio de vectores no especificados • https://www.mobileiron.com/en/blog/mobileiron-security-updates-available •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-15507
https://notcve.org/view.php?id=CVE-2020-15507
An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to read files on the system via unspecified vectors. Se presenta una vulnerabilidad arbitraria de lectura de archivos en MobileIron Core y Connector versiones 10.3.0.3 y anteriores, versiones 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 y versión 10.6.0.0 que permite a atacantes remotos leer archivos sobre el sistema por medio de vectores no especificados • https://www.mobileiron.com/en/blog/mobileiron-security-updates-available •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 2CVE-2013-7287
https://notcve.org/view.php?id=CVE-2013-7287
MobileIron VSP < 5.9.1 and Sentry < 5.0 has an insecure encryption scheme. MobileIron VSP versiones anteriores a 5.9.1 y Sentry versiones anteriores a 5.0, presentan un esquema de cifrado no seguro. • http://seclists.org/fulldisclosure/2014/Apr/21 https://www.securityfocus.com/archive/1/531713 • CWE-326: Inadequate Encryption Strength •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8028
https://notcve.org/view.php?id=CVE-2018-8028
An authenticated user can execute ALTER TABLE EXCHANGE PARTITIONS without being authorized by Apache Sentry before 2.0.1. This can allow an attacker unauthorized access to the partitioned data of a Sentry protected table and can allow an attacker to remove data from a Sentry protected table. Un usuario autenticado puede ejecutar ALTER TABLE EXCHANGE PARTITIONS sin estar autorizado por Apache Sentry en versiones anteriores a la 2.0.1. Esto puede permite que un atacante acceda de manera no autorizada a los datos particionados de una tabla Sentry protegida y puede permitir que un atacante elimine datos de una tabla Sentry protegida. • https://cwiki.apache.org/confluence/display/SENTRY/Vulnerabilities+found+in+Apache+Sentry • CWE-862: Missing Authorization •