CVE-2020-29668
Published: 10 December 2020
Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.
Priority
Status
Package | Release | Status |
---|---|---|
sympa Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Not vulnerable
(6.2.58~dfsg-2)
|
|
impish |
Not vulnerable
(6.2.58~dfsg-2)
|
|
jammy |
Not vulnerable
(6.2.58~dfsg-2)
|
|
kinetic |
Not vulnerable
(6.2.58~dfsg-2)
|
|
lunar |
Not vulnerable
(6.2.58~dfsg-2)
|
|
mantic |
Not vulnerable
(6.2.58~dfsg-2)
|
|
noble |
Not vulnerable
(6.2.58~dfsg-2)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(6.2.58~dfsg-2)
|
|
xenial |
Needs triage
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 3.7 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
References
- https://github.com/sympa-community/sympa/issues/1041
- https://github.com/sympa-community/sympa/pull/1044
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020
- https://github.com/sympa-community/sympa/blob/6.2.59b.2/NEWS.md
- https://www.cve.org/CVERecord?id=CVE-2020-29668
- NVD
- Launchpad
- Debian