CVE-2020-16282

In the default configuration of Rangee GmbH RangeeOS 8.0.4, all components are executed in the context of the privileged root user. This may allow a local attacker to break out of the restricted environment or inject malicious code into the application and fully compromise the operating system.

CVSS v3 8.8 HIGH
CVSS v2.0 7.2 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.0 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.contextis.com/en/resources/advisories/cve-2020-16282	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:rangee:rangeeos:8.0.4:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-08-20 16:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-16282

Mitre link : CVE-2020-16282

CVE.ORG link : CVE-2020-16282

JSON object : View

Products Affected

rangee

rangeeos

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2020-16282", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}]}, "published": "2020-08-20T16:15:11.613", "references": [{"url": "https://www.contextis.com/en/resources/advisories/cve-2020-16282", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "In the default configuration of Rangee GmbH RangeeOS 8.0.4, all components are executed in the context of the privileged root user. This may allow a local attacker to break out of the restricted environment or inject malicious code into the application and fully compromise the operating system."}, {"lang": "es", "value": "En la configuraci\u00f3n predeterminada de Rangee GmbH RangeeOS versi\u00f3n 8.0.4, todos los componentes son ejecutados en el contexto del usuario root privilegiado. Esto puede permitir a un atacante local salir del entorno restringido o inyectar c\u00f3digo malicioso a la aplicaci\u00f3n y comprometer por completo el sistema operativo."}], "lastModified": "2020-08-24T18:33:22.407", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:rangee:rangeeos:8.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D24087DA-90BA-4051-9028-EE5B8A8914DE"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}