Vulnerability Details : CVE-2020-26515
An insufficiently protected credentials issue was discovered in Intland codeBeamer ALM 10.x through 10.1.SP4. The remember-me cookie (CB_LOGIN) issued by the application contains the encrypted user's credentials. However, due to a bug in the application code, those credentials are encrypted using a NULL encryption key.
Products affected by CVE-2020-26515
- cpe:2.3:a:intland:codebeamer:*:*:*:*:*:*:*:*
- cpe:2.3:a:intland:codebeamer:10.1.0:-:*:*:*:*:*:*
- cpe:2.3:a:intland:codebeamer:10.1.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:intland:codebeamer:10.1.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:intland:codebeamer:10.1.0:sp3:*:*:*:*:*:*
- cpe:2.3:a:intland:codebeamer:10.1.0:sp4:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-26515
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26515
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-26515
-
The product uses a broken or risky cryptographic algorithm or protocol.Assigned by: nvd@nist.gov (Primary)
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-26515
-
https://intland.com/codebeamer/application-lifecycle-management/
Product;Vendor Advisory
-
https://www.compass-security.com/fileadmin/Research/Advisories/2021-09_CSNC-2020-010-codebeamer_ALM_Insecure-RememberMe.txt
Exploit;Third Party Advisory
Jump to