Vulnerability Details : CVE-2020-11016
IntelMQ Manager from version 1.1.0 and before version 2.1.1 has a vulnerability where the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver. Version 2.1.1 fixes the vulnerability.
Vulnerability category: Execute code
Products affected by CVE-2020-11016
- cpe:2.3:a:intelmq_manager_project:intelmq_manager:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11016
0.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11016
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L |
3.1
|
5.3
|
GitHub, Inc. |
CWE ids for CVE-2020-11016
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2020-11016
-
https://github.com/certtools/intelmq-manager/commit/b9a2ac43a4f99d764b827108f6a99dc4a9faa013
SEC: fix RCE bug in controller.php · certtools/intelmq-manager@b9a2ac4 · GitHubPatch;Third Party Advisory
-
https://github.com/certtools/intelmq-manager/security/advisories/GHSA-rrhh-rcgp-q2m2
Remote code execution in Message sending functionality · Advisory · certtools/intelmq-manager · GitHubPatch;Third Party Advisory
-
https://github.com/certtools/intelmq-manager/releases/tag/2.1.1
Release 2.1.1 Security bugfix relase · certtools/intelmq-manager · GitHubThird Party Advisory
-
https://lists.cert.at/pipermail/intelmq-users/2020-April/000161.html
[Intelmq-users] IntelMQ Manager 2.1.1 Security Bugfix ReleaseThird Party Advisory
Jump to