Vulnerability Details : CVE-2020-24614
Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows remote authenticated users to execute arbitrary code. An attacker must have check-in privileges on the repository.
Vulnerability category: Execute code
Products affected by CVE-2020-24614
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
- cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:fossil-scm:fossil:*:*:*:*:*:*:*:*
- cpe:2.3:a:fossil-scm:fossil:*:*:*:*:*:*:*:*
- cpe:2.3:a:fossil-scm:fossil:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-24614
1.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-24614
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2020-24614
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-24614
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ARYF4YMYXCANXUDS3B3CA4JGUZNUJOJA/
[SECURITY] Fedora 32 Update: fossil-2.12.1-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00065.html
[security-announce] openSUSE-SU-2020:1478-1: important: Security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVZK4K7SFBQRCGCHS76HW2LTSEH2KSUM/
[SECURITY] Fedora 33 Update: fossil-2.12.1-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2020/08/25/1
oss-security - Re: Fossil-SCM patch fixes RCE in all historic versionsMailing List;Third Party Advisory
-
https://fossil-scm.org/forum/info/a05ae3ce7760daf6
Fossil Forum: Fossil version 2.12.1 - update recommendedVendor Advisory
-
https://fossil-scm.org/fossil/vdiff?branch=sec2020-2.12-patch&diff=1&w
Fossil: Changes On Branch sec2020-2.12-patchThird Party Advisory
-
https://security.gentoo.org/glsa/202011-04
Fossil: Multiple vulnerabilities (GLSA 202011-04) — Gentoo securityThird Party Advisory
-
https://www.openwall.com/lists/oss-security/2020/08/20/1
oss-security - Fossil-SCM patch fixes RCE in all historic versionsMailing List;Third Party Advisory
Jump to