Vulnerability Details : CVE-2020-25711
A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.
Products affected by CVE-2020-25711
- cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
- cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-25711
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 31 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-25711
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.9
|
MEDIUM | AV:N/AC:M/Au:S/C:N/I:P/A:P |
6.8
|
4.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
1.2
|
5.2
|
NIST |
CWE ids for CVE-2020-25711
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2020-25711
-
https://security.netapp.com/advisory/ntap-20220210-0023/
CVE-2020-25711 Infinispan Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1897618
1897618 – (CVE-2020-25711) CVE-2020-25711 infinispan: authorization check missing for server management operationsIssue Tracking;Third Party Advisory
Jump to