CVSS: 8.8EPSS: 87%CPEs: 7EXPL: 4CVE-2020-3956 – vCloud Director 9.7.0.15498291 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-3956
VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access. VMware Cloud Director versiones 10.0.x anteriores a 10.0.0.2, versiones 9.7.0.x anteriores a 9.7.0.5, versiones 9.5.0.x anteriores a 9.5.0.6 y versiones 9.1.0.x anteriores a 9.1.0.4, no manejan apropiadamente la entrada conllevando a una vulnerabilidad de inyección de código. Un actor autenticado puede ser capaz de enviar tráfico malicioso a VMware Cloud Director, lo que puede conllevar a una ejecución de código remota arbitraria. • https://www.exploit-db.com/exploits/48540 https://github.com/aaronsvk/CVE-2020-3956 http://packetstormsecurity.com/files/157909/vCloud-Director-9.7.0.15498291-Remote-Code-Execution.html https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956 https://www.vmware.com/security/advisories/VMSA-2020-0010.html • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-5408 – Dictionary attack with Spring Security queryable text encryptor
https://notcve.org/view.php?id=CVE-2020-5408
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack. Spring Security versiones 5.3.x anteriores a 5.3.2, versiones 5.2.x anteriores a 5.2.4, versiones 5.1.x anteriores a 5.1.10, versiones 5.0.x anteriores a 5.0.16 y versiones 4.2.x anteriores a 4.2.16, utilizan un vector de inicialización de null corregido con el Modo CBC en la implementación del encriptador de texto consultable. Un usuario malicioso con acceso a los datos que han sido encriptados, al usar dicho encriptador pueden ser capaces de obtener los valores no encriptados mediante un ataque de diccionario. • https://tanzu.vmware.com/security/cve-2020-5408 https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpuoct2020.html • CWE-329: Generation of Predictable IV with CBC Mode CWE-330: Use of Insufficiently Random Values •
CVSS: 6.5EPSS: 97%CPEs: 13EXPL: 7CVE-2020-11652 – SaltStack Salt Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2020-11652
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. Se descubrió un problema en SaltStack Salt versiones anteriores a la versión 2019.2.4 y versiones 3000 anteriores a 3000.2. La clase ClearFuncs del proceso Salt-master permite acceder a algunos métodos que sanean inapropiadamente las rutas. • https://www.exploit-db.com/exploits/48421 https://github.com/ssrsec/CVE-2020-11651-CVE-2020-11652-EXP https://github.com/Al1ex/CVE-2020-11652 https://github.com/limon768/CVE-2020-11652-POC https://github.com/fanjq99/CVE-2020-11652 https://github.com/appcheck-ng/salt-rce-scanner-CVE-2020-11651-CVE-2020-11652 http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html http://packetstormsecurit • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 97%CPEs: 10EXPL: 10CVE-2020-11651 – SaltStack Salt Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2020-11651
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. Se ha descubierto un fallo de salto de archivo en todas las versiones de ansible-engine 2.9.x anteriores a la versión 2.9.7, cuando se ejecuta una instalación de una colección ansible-galaxy. • https://www.exploit-db.com/exploits/48421 https://github.com/jasperla/CVE-2020-11651-poc https://github.com/ssrsec/CVE-2020-11651-CVE-2020-11652-EXP https://github.com/0xc0d/CVE-2020-11651 https://github.com/kevthehermit/CVE-2020-11651 https://github.com/RakhithJK/CVE-2020-11651 https://github.com/appcheck-ng/salt-rce-scanner-CVE-2020-11651-CVE-2020-11652 https://github.com/hardsoftsecurity/CVE-2020-11651-PoC http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00 •
CVSS: 9.3EPSS: 0%CPEs: 179EXPL: 0CVE-2020-3955
https://notcve.org/view.php?id=CVE-2020-3955
ESXi 6.5 without patch ESXi650-201912104-SG and ESXi 6.7 without patch ESXi670-202004103-SG do not properly neutralize script-related HTML when viewing virtual machines attributes. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.3. ESXi versión 6.5 sin el parche ESXi650-201912104-SG y ESXi versión 6.7 sin el parche ESXi670-202004103-SG, no neutralizan apropiadamente el HTML relacionado con scripts cuando se visualizan los atributos de las máquinas virtuales. VMware ha evaluado la gravedad de este problema en el rango de gravedad Importante con una puntuación base CVSSv3 máxima de 8,3. • https://www.vmware.com/security/advisories/VMSA-2020-0008.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •