CVE-2020-11853
Arbitrary code execution vulnerability on multiple Micro Focus products
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Arbitrary code execution vulnerability affecting multiple Micro Focus products. 1.) Operation Bridge Manager affecting version: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions. 2.) Application Performance Management affecting versions : 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 3.) Data Center Automation affected version 2019.11 4.) Operations Bridge (containerized) affecting versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11 5.) Universal CMDB affecting version: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30 6.) Hybrid Cloud Management affecting version 2020.05 7.) Service Management Automation affecting version 2020.5 and 2020.02. The vulnerability could allow to execute arbitrary code.
Se presenta una vulnerabilidad de ejecución de código arbitrario que afecta a múltiples productos de Micro Focus. 1.) Operation Bridge Manager que afecta a las versiones: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versiones 10.6x y 10.1x y versiones anteriores. 2.) Application Performance Management que afecta a las versiones: 9.51, 9.50 y 9.40 con uCMDB 10.33 CUP 3 3.) Data Center Automation que afecta a la versión 2019.11 4.) Operations Bridge (contenedor) afectando a las versiones: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11 5.) CMDB universal que afecta a las versiones: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30 6.) Hybrid Cloud Management que afecta a la versión 2020.05 7.) Service Management Automation que afecta a la versión 2020.5 y 2020.02. La vulnerabilidad podría permitir a los atacantes remotos ejecutar código arbitrario
This vulnerability allows remote attackers to escalate privileges on affected installations of Micro Focus Operations Bridge Manager. Authentication is required to exploit this vulnerability.
The specific flaw exists within the SAMDownloadServlet endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM.
*Credits:
Micro Focus would like to thank Pedro Ribeiro from Agile Information Security working with Trend Micro Zero Day Initiative for discovering and reporting the vulnerability.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-04-16 CVE Reserved
- 2020-10-22 CVE Published
- 2024-08-04 CVE Updated
- 2024-11-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/161182/Micro-Focus-UCMDB-Remote-Code-Execution.html | X_refsource_misc |
|
| http://packetstormsecurity.com/files/161366/Micro-Focus-Operations-Bridge-Manager-Remote-Code-Execution.html | X_refsource_misc |
|
| https://softwaresupport.softwaregrp.com/doc/KM03747657 | X_refsource_misc | |
| https://softwaresupport.softwaregrp.com/doc/KM03747658 | X_refsource_misc | |
| https://softwaresupport.softwaregrp.com/doc/KM03747854 | X_refsource_misc | |
| https://softwaresupport.softwaregrp.com/doc/KM03747948 | X_refsource_misc | |
| https://softwaresupport.softwaregrp.com/doc/KM03747949 | X_refsource_misc | |
| https://softwaresupport.softwaregrp.com/doc/KM03747950 | X_refsource_misc | |
| https://softwaresupport.softwaregrp.com/doc/KM03749879 | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Microfocus Search vendor "Microfocus" | Operation Bridge Manager Search vendor "Microfocus" for product "Operation Bridge Manager" | <= 10.10 Search vendor "Microfocus" for product "Operation Bridge Manager" and version " <= 10.10" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operation Bridge Manager Search vendor "Microfocus" for product "Operation Bridge Manager" | 10.11 Search vendor "Microfocus" for product "Operation Bridge Manager" and version "10.11" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operation Bridge Manager Search vendor "Microfocus" for product "Operation Bridge Manager" | 10.12 Search vendor "Microfocus" for product "Operation Bridge Manager" and version "10.12" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operation Bridge Manager Search vendor "Microfocus" for product "Operation Bridge Manager" | 10.60 Search vendor "Microfocus" for product "Operation Bridge Manager" and version "10.60" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operation Bridge Manager Search vendor "Microfocus" for product "Operation Bridge Manager" | 10.61 Search vendor "Microfocus" for product "Operation Bridge Manager" and version "10.61" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operation Bridge Manager Search vendor "Microfocus" for product "Operation Bridge Manager" | 10.62 Search vendor "Microfocus" for product "Operation Bridge Manager" and version "10.62" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operation Bridge Manager Search vendor "Microfocus" for product "Operation Bridge Manager" | 10.63 Search vendor "Microfocus" for product "Operation Bridge Manager" and version "10.63" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager" | 2017.11 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2017.11" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager" | 2018.02 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2018.02" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager" | 2018.05 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2018.05" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager" | 2018.08 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2018.08" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager" | 2018.11 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2018.11" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager" | 2019.05 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2019.05" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager" | 2019.08 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2019.08" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager" | 2019.11 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2019.11" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Operations Bridge Manager Search vendor "Microfocus" for product "Operations Bridge Manager" | 2020.05 Search vendor "Microfocus" for product "Operations Bridge Manager" and version "2020.05" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 10.20 Search vendor "Hp" for product "Universal Cmbd Foundation" and version "10.20" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 10.30 Search vendor "Hp" for product "Universal Cmbd Foundation" and version "10.30" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 10.31 Search vendor "Hp" for product "Universal Cmbd Foundation" and version "10.31" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 10.32 Search vendor "Hp" for product "Universal Cmbd Foundation" and version "10.32" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 10.33 Search vendor "Hp" for product "Universal Cmbd Foundation" and version "10.33" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 11.0 Search vendor "Hp" for product "Universal Cmbd Foundation" and version "11.0" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 2018.05 Search vendor "Hp" for product "Universal Cmbd Foundation" and version "2018.05" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 2018.08 Search vendor "Hp" for product "Universal Cmbd Foundation" and version "2018.08" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 2018.11 Search vendor "Hp" for product "Universal Cmbd Foundation" and version "2018.11" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 2019.02 Search vendor "Hp" for product "Universal Cmbd Foundation" and version "2019.02" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 2019.05 Search vendor "Hp" for product "Universal Cmbd Foundation" and version "2019.05" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 2019.11 Search vendor "Hp" for product "Universal Cmbd Foundation" and version "2019.11" | - |
Affected
| ||||||
| Hp Search vendor "Hp" | Universal Cmbd Foundation Search vendor "Hp" for product "Universal Cmbd Foundation" | 2020.05. Search vendor "Hp" for product "Universal Cmbd Foundation" and version "2020.05." | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Application Performance Management Search vendor "Microfocus" for product "Application Performance Management" | 9.40 Search vendor "Microfocus" for product "Application Performance Management" and version "9.40" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Application Performance Management Search vendor "Microfocus" for product "Application Performance Management" | 9.50 Search vendor "Microfocus" for product "Application Performance Management" and version "9.50" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Application Performance Management Search vendor "Microfocus" for product "Application Performance Management" | 9.51 Search vendor "Microfocus" for product "Application Performance Management" and version "9.51" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Data Center Automation Search vendor "Microfocus" for product "Data Center Automation" | <= 2019.11 Search vendor "Microfocus" for product "Data Center Automation" and version " <= 2019.11" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Hybrid Cloud Management Search vendor "Microfocus" for product "Hybrid Cloud Management" | >= 2018.05 <= 2020.05 Search vendor "Microfocus" for product "Hybrid Cloud Management" and version " >= 2018.05 <= 2020.05" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Service Manager Automation Search vendor "Microfocus" for product "Service Manager Automation" | 2020.02 Search vendor "Microfocus" for product "Service Manager Automation" and version "2020.02" | - |
Affected
| ||||||
| Microfocus Search vendor "Microfocus" | Service Manager Automation Search vendor "Microfocus" for product "Service Manager Automation" | 2020.05 Search vendor "Microfocus" for product "Service Manager Automation" and version "2020.05" | - |
Affected
| ||||||