CVE-2019-16374 - OpenCVE

Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Pega	Platform

Configuration 1 [-]

cpe:2.3:a:pega:platform:*:*:*:*:*:*:*:*

References

Link	Resource
https://community.pega.com/upgrade	Vendor Advisory
https://gist.github.com/IAG0110/0205823570ba04ec12e656f7f4602877	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-08-13T12:30:26

Updated: 2020-08-13T12:30:26

Reserved: 2019-09-16T00:00:00

Link: CVE-2019-16374

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-08-13T13:15:16.670

Modified: 2020-08-19T17:14:56.700

Link: CVE-2019-16374

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pega:platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "AF5364F8-3FC3-4A39-A5E6-986091021258", "versionEndIncluding": "8.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control."}, {"lang": "es", "value": "Pega Platform versi\u00f3n 8.2.1, permite una inyecci\u00f3n de LDAP porque un nombre de usuario puede contener un car\u00e1cter * y puede ser de una longitud ilimitada. Un atacante puede especificar cuatro caracteres de un nombre de usuario, seguidos del car\u00e1cter *, para omitir el control de acceso"}], "id": "CVE-2019-16374", "lastModified": "2020-08-19T17:14:56.700", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-13T13:15:16.670", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://community.pega.com/upgrade"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/IAG0110/0205823570ba04ec12e656f7f4602877"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}