CVE-2020-6856

{"id": "CVE-2020-6856", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-02-06T17:15:14.303", "references": [{"url": "https://change.sos-berlin.com/browse/JOC-853", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://change.sos-berlin.com/browse/JOC-853", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-776"}]}], "descriptions": [{"lang": "en", "value": "An XML External Entity (XEE) vulnerability exists in the JOC Cockpit component of SOS JobScheduler 1.12 and 1.13.2 allows attackers to read files from the server via an entity declaration in any of the XML documents that are used to specify the run-time settings of jobs and orders."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de tipo XML External Entity (XEE) en el componente JOC Cockpit de SOS JobScheduler versiones 1.12 y 1.13.2, que permite a atacantes leer archivos del servidor por medio de una declaraci\u00f3n de entidad en cualquiera de los documentos XML que son usados para especificar la configuraci\u00f3n del tiempo de ejecuci\u00f3n de trabajos y pedidos."}], "lastModified": "2024-11-21T05:36:18.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sos-berlin:jobscheduler:1.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9304B5EB-B352-480C-B1D0-5AA3F88F6C9A"}, {"criteria": "cpe:2.3:a:sos-berlin:jobscheduler:1.13.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "444A6B97-66A5-4F0E-9423-92A2838D33A9"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}