Vulnerability Details : CVE-2020-12145
Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted by customers –on-premise or in a public cloud provider –are affected by this vulnerability.
Vulnerability category: BypassGain privilege
Products affected by CVE-2020-12145
- cpe:2.3:a:silver-peak:unity_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:silver-peak:unity_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:silver-peak:unity_orchestrator:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-12145
59.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-12145
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
|
6.6
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
0.7
|
5.9
|
Silver Peak Systems, Inc. |
CWE ids for CVE-2020-12145
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by:
- nvd@nist.gov (Primary)
- sirt@silver-peak.com (Secondary)
References for CVE-2020-12145
-
https://www.silver-peak.com/support/user-documentation/security-advisories
Security Advisories | Silver PeakVendor Advisory
Jump to