CVE-2020-10590

Replicated Classic 2.x versions have an improperly secured API that exposes sensitive data from the Replicated Admin Console configuration. An attacker with network access to the Admin Console port (8800) on the Replicated Classic server could retrieve the TLS Keypair (Cert and Key) used to configure the Admin Console.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://blog.replicated.com	Vendor Advisory
https://gradle.com/enterprise/releases/2019.5/#changes	Third Party Advisory
https://www.replicated.com/security/advisories/CVE-2020-10590	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:replicated:replicated_classic::::::::
	cpe:2.3:a:replicated:replicated_classic::::::::
	cpe:2.3:a:replicated:replicated_classic::::::::
	cpe:2.3:a:replicated:replicated_classic::::::::
	cpe:2.3:a:replicated:replicated_classic::::::::
	cpe:2.3:a:replicated:replicated_classic::::::::
	cpe:2.3:a:replicated:replicated_classic::::::::
	cpe:2.3:a:replicated:replicated_classic:2.41.0:::::::*

History

No history.

Information

Published : 2021-07-30 14:15

Updated : 2024-02-28 18:28

NVD link : CVE-2020-10590

Mitre link : CVE-2020-10590

CVE.ORG link : CVE-2020-10590

JSON object : View

Products Affected

replicated

replicated_classic

CWE

NVD-CWE-noinfo

{"id": "CVE-2020-10590", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-07-30T14:15:12.930", "references": [{"url": "https://blog.replicated.com", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://gradle.com/enterprise/releases/2019.5/#changes", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.replicated.com/security/advisories/CVE-2020-10590", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Replicated Classic 2.x versions have an improperly secured API that exposes sensitive data from the Replicated Admin Console configuration. An attacker with network access to the Admin Console port (8800) on the Replicated Classic server could retrieve the TLS Keypair (Cert and Key) used to configure the Admin Console."}, {"lang": "es", "value": "Replicated Classic versiones 2.x, presentan una API asegurada inapropiadamente que expone datos confidenciales de la configuraci\u00f3n de la Consola de Administraci\u00f3n Replicada. Un atacante con acceso de red al puerto de la Consola de Administraci\u00f3n (8800) en el servidor de Replicated Classic podr\u00eda recuperar el par de claves TLS (Cert y Key) usado para configurar la Consola de Administraci\u00f3n"}], "lastModified": "2022-06-28T14:11:45.273", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:replicated:replicated_classic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A13F1249-8DFC-4CCB-8E39-5237958CA278", "versionEndIncluding": "2.32.3", "versionStartIncluding": "2.10.0"}, {"criteria": "cpe:2.3:a:replicated:replicated_classic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EAD962E0-AD59-45C2-9AA2-825CD1589522", "versionEndIncluding": "2.36.0", "versionStartIncluding": "2.33.0"}, {"criteria": "cpe:2.3:a:replicated:replicated_classic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "10023122-0F02-4D4A-B413-5227EE939BB7", "versionEndIncluding": "2.37.1", "versionStartIncluding": "2.37.0"}, {"criteria": "cpe:2.3:a:replicated:replicated_classic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ADFC23B4-835F-4ACC-91E2-76752F14E7A3", "versionEndIncluding": "2.38.5", "versionStartIncluding": "2.38.0"}, {"criteria": "cpe:2.3:a:replicated:replicated_classic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "10D63E7B-B00E-4F2B-AF6D-DAA6EAC614F9", "versionEndIncluding": "2.39.3", "versionStartIncluding": "2.39.0"}, {"criteria": "cpe:2.3:a:replicated:replicated_classic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8EC5AF21-62BD-4883-8941-7690D7EEF64F", "versionEndIncluding": "2.40.3", "versionStartIncluding": "2.40.0"}, {"criteria": "cpe:2.3:a:replicated:replicated_classic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "304928C9-4462-43C1-99E3-7C01101E4DAB", "versionEndIncluding": "2.42.3", "versionStartIncluding": "2.42.0"}, {"criteria": "cpe:2.3:a:replicated:replicated_classic:2.41.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0350B1B8-C397-4CE1-B9E7-73D93B80DA6B"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}