CVE-2020-11847

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

S

SH authenticated user when access the PAM server can execute an OS command to gain the full system access using bash. This issue affects Privileged Access Manager before 3.7.0.1.

References

Link	Resource
https://www.netiq.com/documentation/privileged-account-manager-37/npam_3701_releasenotes/data/npam_3701_releasenotes.html	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:microfocus:netiq_privileged_access_manager::::::::
	cpe:2.3:a:microfocus:netiq_privileged_access_manager:3.7:-::::::

History

23 Aug 2024, 17:04

Type	Values Removed	Values Added
References	~~() https://www.netiq.com/documentation/privileged-account-manager-37/npam_3701_releasenotes/data/npam_3701_releasenotes.html -~~	() https://www.netiq.com/documentation/privileged-account-manager-37/npam_3701_releasenotes/data/npam_3701_releasenotes.html - Release Notes
CVSS	v2 : ~~unknown~~ v3 : ~~8.2~~	v2 : unknown v3 : 7.8
Summary		(es) El usuario autenticado por SSH cuando accede al servidor PAM puede ejecutar un comando del sistema operativo para obtener acceso completo al sistema mediante bash. Este problema afecta a Privileged Access Manager anterior a 3.7.0.1.
CPE		cpe:2.3:a:microfocus:netiq_privileged_access_manager:3.7:-:::::: cpe:2.3:a:microfocus:netiq_privileged_access_manager::::::::
First Time		Microfocus netiq Privileged Access Manager Microfocus

21 Aug 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-21 14:15

Updated : 2024-08-23 17:04

NVD link : CVE-2020-11847

Mitre link : CVE-2020-11847

CVE.ORG link : CVE-2020-11847

JSON object : View

Products Affected

netiq_privileged_access_manager

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2020-11847", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.5}]}, "published": "2024-08-21T14:15:07.957", "references": [{"url": "https://www.netiq.com/documentation/privileged-account-manager-37/npam_3701_releasenotes/data/npam_3701_releasenotes.html", "tags": ["Release Notes"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "SSH authenticated user when access the PAM server can execute an OS command to gain the full system access using bash. This issue affects Privileged Access Manager before 3.7.0.1."}, {"lang": "es", "value": "El usuario autenticado por SSH cuando accede al servidor PAM puede ejecutar un comando del sistema operativo para obtener acceso completo al sistema mediante bash. Este problema afecta a Privileged Access Manager anterior a 3.7.0.1."}], "lastModified": "2024-08-23T17:04:30.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microfocus:netiq_privileged_access_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA2CD967-B489-4A21-8B40-77723EA447CE", "versionEndExcluding": "3.7"}, {"criteria": "cpe:2.3:a:microfocus:netiq_privileged_access_manager:3.7:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B555DD5F-DF6C-4A46-9F75-C668D9E48D4E"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}