Vulnerability Details : CVE-2020-15235
In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. All versions after commit f3dc89b9f6ab1544a289b3efc06699b13d63e0bd(3/10/20) are patched.
Vulnerability category: Information leak
Products affected by CVE-2020-15235
- cpe:2.3:a:ractf:core:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-15235
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-15235
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2020-15235
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Primary)
References for CVE-2020-15235
-
https://github.com/ractf/core/commit/f3dc89b9f6ab1544a289b3efc06699b13d63e0bd
patch unauthenticated users being able to read sensitive config field… · ractf/core@f3dc89b · GitHubPatch;Vendor Advisory
-
https://github.com/ractf/core/security/advisories/GHSA-ph67-c355-52vm
Unauthenticated Users Can View Sensitive Config Keys · Advisory · ractf/core · GitHubVendor Advisory
Jump to