CVE-2020-1732 : A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurr

A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly Elytron which can lead to the possibility of being handled using the identity from another request.

Published 2020-05-04 17:15:12

Updated 2020-05-08 17:28:01

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Input validationBypassGain privilege

Products affected by CVE-2020-1732

Redhat » Jboss Enterprise Application Platform » Version: 7.0.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift Application Runtimes » Version: N/A
cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform Continuous Delivery » Version: N/A
cpe:2.3:a:redhat:jboss_enterprise_application_platform_continuous_delivery:-:*:*:*:*:*:*:*
Matching versions
Redhat » Soteria
Versions before (<) 1.0.1
cpe:2.3:a:redhat:soteria:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2020-1732

Top countries where our scanners detected CVE-2020-1732

Top open port discovered on systems with this issue 80

IPs affected by CVE-2020-1732 371

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2020-1732!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2020-1732

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 30 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-1732

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.9	MEDIUM	AV:N/AC:M/Au:S/C:P/I:P/A:N	6.8	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
4.2	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N	1.6	2.5	Red Hat, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
4.2	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N	1.6	2.5	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2020-1732

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: secalert@redhat.com (Secondary)

References for CVE-2020-1732

https://github.com/wildfly-security/soteria/commit/c2479f8c39d7d661341fdcaff7f5e97c5eea1a54

Merge pull request #1 from darranl/CVE-2020-1732 · wildfly-security/soteria@c2479f8 · GitHub
Patch;Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1732

1801726 – (CVE-2020-1732) CVE-2020-1732 Soteria: security identity corruption across concurrent threads
Issue Tracking;Patch;Vendor Advisory