CVE-2020-26943

Severity Score

9.9

*CVSS v3.1

Exploit Likelihood

1.5%

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2.0.0, and 3.0.0. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under (because the Python eval function is used). This may result in Horizon host unauthorized access and further compromise of the Horizon service. All setups using the Horizon dashboard with the blazar-dashboard plugin are affected.

Se detectó un problema en OpenStack blazar-dashboard versiones anteriores a 1.3.1, 2.0.0 y 3.0.0. Un usuario al que se le permite acceder al panel Blazar en Horizon puede activar una ejecución de código en el host de Horizon como el usuario bajo el cual se ejecuta el servicio de Horizon (porque la función eval de Python es usada). Esto puede resultar en un acceso no autorizado del host de Horizon y un mayor compromiso del servicio de Horizon. Todas las configuraciones que usan el panel de Horizon con el plugin blazar-dashboard están afectadas

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-10-10 CVE Reserved
2020-10-16 CVE Published
2024-08-04 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
http://www.openwall.com/lists/oss-securit...	Mailing List
https://launchpad.net/bugs/1895688	Third Party Advisory
https://review.opendev.org/755810	Third Party Advisory
https://review.opendev.org/755812	Third Party Advisory
https://review.opendev.org/755813	Third Party Advisory
https://review.opendev.org/755814	Third Party Advisory
https://review.opendev.org/756064	Third Party Advisory
https://security.openstack.org/ossa/OSSA-...	Third Party Advisory

1 - 8 of 8

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions (3)

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openstack Search vendor "Openstack"		Blazar-dashboard Search vendor "Openstack" for product "Blazar-dashboard"				< 1.3.1 Search vendor "Openstack" for product "Blazar-dashboard" and version " < 1.3.1"		-		Affected
Openstack Search vendor "Openstack"		Blazar-dashboard Search vendor "Openstack" for product "Blazar-dashboard"				2.0.0 Search vendor "Openstack" for product "Blazar-dashboard" and version "2.0.0"		-		Affected
Openstack Search vendor "Openstack"		Blazar-dashboard Search vendor "Openstack" for product "Blazar-dashboard"				3.0.0 Search vendor "Openstack" for product "Blazar-dashboard" and version "3.0.0"		-		Affected

1 - 3 of 3