CVE-2020-29668
Published: 10 December 2020
Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
sympa Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| groovy |
Ignored
(end of life)
|
|
| hirsute |
Not vulnerable
(6.2.58~dfsg-2)
|
|
| impish |
Not vulnerable
(6.2.58~dfsg-2)
|
|
| jammy |
Not vulnerable
(6.2.58~dfsg-2)
|
|
| kinetic |
Not vulnerable
(6.2.58~dfsg-2)
|
|
| lunar |
Not vulnerable
(6.2.58~dfsg-2)
|
|
| mantic |
Not vulnerable
(6.2.58~dfsg-2)
|
|
| noble |
Not vulnerable
(6.2.58~dfsg-2)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(6.2.58~dfsg-2)
|
|
| xenial |
Needs triage
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 3.7 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
References
- https://github.com/sympa-community/sympa/issues/1041
- https://github.com/sympa-community/sympa/pull/1044
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976020
- https://github.com/sympa-community/sympa/blob/6.2.59b.2/NEWS.md
- https://www.cve.org/CVERecord?id=CVE-2020-29668
- NVD
- Launchpad
- Debian