CVE-2020-13774 - OpenCVE

An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Ivanti	Endpoint Manager

Configuration 1 [-]

OR	cpe:2.3:a:ivanti:endpoint_manager:2019.1:::::::*
	cpe:2.3:a:ivanti:endpoint_manager:2020.1:::::::*

References

Link	Resource
https://labs.jumpsec.com/advisory-cve-2020-13774-ivanti-uem-rce/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-11-12T19:22:15

Updated: 2020-11-12T19:22:15

Reserved: 2020-06-02T00:00:00

Link: CVE-2020-13774

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-12T20:15:16.017

Modified: 2020-12-02T16:27:23.850

Link: CVE-2020-13774

JSON object: View

Redhat Information

No data.

CWE

CWE-434

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-12T19:22:15", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://labs.jumpsec.com/advisory-cve-2020-13774-ivanti-uem-rce/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-13774", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://labs.jumpsec.com/advisory-cve-2020-13774-ivanti-uem-rce/", "refsource": "MISC", "url": "https://labs.jumpsec.com/advisory-cve-2020-13774-ivanti-uem-rce/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-13774", "datePublished": "2020-11-12T19:22:15", "dateReserved": "2020-06-02T00:00:00", "dateUpdated": "2020-11-12T19:22:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2019.1:*:*:*:*:*:*:*", "matchCriteriaId": "4BD9E4D7-899F-4CA4-A252-215F21DE7919", "vulnerable": true}, {"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2020.1:*:*:*:*:*:*:*", "matchCriteriaId": "B466D6DA-27D7-47F6-A97B-5E39DD385DB8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An unrestricted file-upload issue in EditLaunchPadDialog.aspx in Ivanti Endpoint Manager 2019.1 and 2020.1 allows an authenticated attacker to gain remote code execution by uploading a malicious aspx file. The issue is caused by insufficient file extension validation and insecure file operations on the uploaded image, which upon failure will leave the temporarily created files in an accessible location on the server."}, {"lang": "es", "value": "Un problema de carga de archivos sin restricciones en el archivo EditLaunchPadDialog.aspx en Ivanti Endpoint Manager versiones 2019.1 y 2020.1, permite a un atacante autenticado conseguir una ejecuci\u00f3n de c\u00f3digo remota cargando un archivo aspx malicioso. El problema es causado por una validaci\u00f3n de extensi\u00f3n de archivo insuficiente y operaciones de archivo no seguras en la imagen cargada, que tras el fallo dejar\u00e1n los archivos creados temporalmente en una ubicaci\u00f3n accesible en el servidor"}], "id": "CVE-2020-13774", "lastModified": "2020-12-02T16:27:23.850", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-12T20:15:16.017", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://labs.jumpsec.com/advisory-cve-2020-13774-ivanti-uem-rce/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}