CVE-2020-11846

A vulnerability found in OpenText Privileged Access Manager that issues a token. on successful issuance of the token, a cookie gets set that allows unrestricted access to all the application resources. This issue affects Privileged Access Manager before 3.7.0.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.netiq.com/documentation/privileged-account-manager-37/npam_3701_releasenotes/data/npam_3701_releasenotes.html	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:microfocus:netiq_privileged_access_manager::::::::
	cpe:2.3:a:microfocus:netiq_privileged_access_manager:3.7:-::::::

History

23 Aug 2024, 17:03

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad encontrada en OpenText Privileged Access Manager que emite un token. Tras la emisión exitosa del token, se establece una cookie que permite el acceso sin restricciones a todos los recursos de la aplicación. Este problema afecta a Privileged Access Manager anterior a 3.7.0.1.
CPE		cpe:2.3:a:microfocus:netiq_privileged_access_manager:3.7:-:::::: cpe:2.3:a:microfocus:netiq_privileged_access_manager::::::::
First Time		Microfocus Microfocus netiq Privileged Access Manager
References	~~() https://www.netiq.com/documentation/privileged-account-manager-37/npam_3701_releasenotes/data/npam_3701_releasenotes.html -~~	() https://www.netiq.com/documentation/privileged-account-manager-37/npam_3701_releasenotes/data/npam_3701_releasenotes.html - Release Notes
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~8.7~~	v2 : unknown v3 : 7.5

21 Aug 2024, 16:06

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-21 14:15

Updated : 2024-08-23 17:03

NVD link : CVE-2020-11846

Mitre link : CVE-2020-11846

CVE.ORG link : CVE-2020-11846

JSON object : View

Products Affected

microfocus

netiq_privileged_access_manager

CWE

NVD-CWE-noinfo CWE-269

Improper Privilege Management

{"id": "CVE-2020-11846", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security@opentext.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}]}, "published": "2024-08-21T14:15:07.737", "references": [{"url": "https://www.netiq.com/documentation/privileged-account-manager-37/npam_3701_releasenotes/data/npam_3701_releasenotes.html", "tags": ["Release Notes"], "source": "security@opentext.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security@opentext.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability found in OpenText Privileged Access Manager that issues a token. on successful issuance of the token, a cookie gets set that allows unrestricted access to all the application resources.\u00a0This issue affects Privileged Access Manager before 3.7.0.1."}, {"lang": "es", "value": "Una vulnerabilidad encontrada en OpenText Privileged Access Manager que emite un token. Tras la emisi\u00f3n exitosa del token, se establece una cookie que permite el acceso sin restricciones a todos los recursos de la aplicaci\u00f3n. Este problema afecta a Privileged Access Manager anterior a 3.7.0.1."}], "lastModified": "2024-08-23T17:03:39.093", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microfocus:netiq_privileged_access_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA2CD967-B489-4A21-8B40-77723EA447CE", "versionEndExcluding": "3.7"}, {"criteria": "cpe:2.3:a:microfocus:netiq_privileged_access_manager:3.7:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B555DD5F-DF6C-4A46-9F75-C668D9E48D4E"}], "operator": "OR"}]}], "sourceIdentifier": "security@opentext.com"}