CVE-2020-15120

In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5.

CVSS v3 4.9 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471	Patch Third Party Advisory
https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ihatemoney:i_hate_money:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-07-27 18:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-15120

Mitre link : CVE-2020-15120

CVE.ORG link : CVE-2020-15120

JSON object : View

Products Affected

ihatemoney

i_hate_money

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2020-15120", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2020-07-27T18:15:13.983", "references": [{"url": "https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "In \"I hate money\" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5."}, {"lang": "es", "value": "En \"I hate money\" antes de la versi\u00f3n 4.1.5, un miembro autenticado de un proyecto puede modificar y eliminar miembros de otro proyecto, sin conocer el c\u00f3digo privado de este otro proyecto. Esto puede ser explotado a\u00fan m\u00e1s para acceder a todas las facturas de otro proyecto sin conocer el c\u00f3digo privado de este otro proyecto. Con la configuraci\u00f3n predeterminada, es permitido a cualquiera crear un nuevo proyecto. Un atacante puede crear un nuevo proyecto y luego usarlo para autenticarse y explotar este fallo. Como tal, la exposici\u00f3n es similar a un ataque no autenticado, porque es muy sencillo autenticarse. Esto est\u00e1 corregido en la versi\u00f3n 4.1.5"}], "lastModified": "2020-07-29T18:09:36.850", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ihatemoney:i_hate_money:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "454CE36C-D558-461D-99E5-6A533CD5C59A", "versionEndExcluding": "4.1.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}