CVE-2020-1963 - OpenCVE

Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Ignite

Configuration 1 [-]

cpe:2.3:a:apache:ignite:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2020/06/03/2	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r119024ef71c8d39f952df0950a275d09714715179aff544aea0129a3%40%3Cuser.ignite.apache.org%3E
https://lists.apache.org/thread.html/r1933faf8a26c431f38a5f8dbbfab80254454e54e33a79be474b67dc4%40%3Cdev.ignite.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rd43ae18588fd7bdb375be63bc95a651aab319ced6306759e1237ce67%40%3Cdev.ignite.apache.org%3E
https://lists.apache.org/thread.html/rdf37011b92a31a67c299ff45655e2638f194fc814e5c6e2fde352884%40%3Cdev.ignite.apache.org%3E
https://lists.apache.org/thread.html/rdf37011b92a31a67c299ff45655e2638f194fc814e5c6e2fde352884%40%3Cuser.ignite.apache.org%3E
https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612d1a0fdd30beb94%40%3Cdev.ignite.apache.org%3E
https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612d1a0fdd30beb94%40%3Cuser.ignite.apache.org%3E
https://lists.apache.org/thread.html/rf032a13a4711f88c0a2c0734eecbee1026cc1b6cde27d16a653f8755%40%3Cdev.ignite.apache.org%3E
https://www.oracle.com/security-alerts/cpujan2022.html	Not Applicable Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2020-06-03T12:53:40

Updated: 2022-02-07T14:40:34

Reserved: 2019-12-02T00:00:00

Link: CVE-2020-1963

JSON object: View

NVD Information

Status : Modified

Published: 2020-06-03T13:15:10.477

Modified: 2023-11-07T03:19:38.707

Link: CVE-2020-1963

JSON object: View

Redhat Information

No data.

CWE

CWE-862

{"containers": {"cna": {"affected": [{"product": "Apache Ignite", "vendor": "n/a", "versions": [{"status": "affected", "version": "All versions of Apache Ignite up to 2.8"}]}], "descriptions": [{"lang": "en", "value": "Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem."}], "problemTypes": [{"descriptions": [{"description": "Information Disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-07T14:40:34", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "[oss-security] 20200603 [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/06/03/2"}, {"name": "[ignite-user] 20200603 RE: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rdf37011b92a31a67c299ff45655e2638f194fc814e5c6e2fde352884%40%3Cuser.ignite.apache.org%3E"}, {"name": "[ignite-dev] 20200603 RE: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rdf37011b92a31a67c299ff45655e2638f194fc814e5c6e2fde352884%40%3Cdev.ignite.apache.org%3E"}, {"name": "[ignite-dev] 20200605 Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rf032a13a4711f88c0a2c0734eecbee1026cc1b6cde27d16a653f8755%40%3Cdev.ignite.apache.org%3E"}, {"name": "[ignite-dev] 20200608 Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd43ae18588fd7bdb375be63bc95a651aab319ced6306759e1237ce67%40%3Cdev.ignite.apache.org%3E"}, {"name": "[ignite-user] 20200609 Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r119024ef71c8d39f952df0950a275d09714715179aff544aea0129a3%40%3Cuser.ignite.apache.org%3E"}, {"name": "[ignite-dev] 20200615 Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612d1a0fdd30beb94%40%3Cdev.ignite.apache.org%3E"}, {"name": "[ignite-user] 20200615 Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612d1a0fdd30beb94%40%3Cuser.ignite.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r1933faf8a26c431f38a5f8dbbfab80254454e54e33a79be474b67dc4%40%3Cdev.ignite.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2020-1963", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Ignite", "version": {"version_data": [{"version_value": "All versions of Apache Ignite up to 2.8"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20200603 [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/06/03/2"}, {"name": "[ignite-user] 20200603 RE: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdf37011b92a31a67c299ff45655e2638f194fc814e5c6e2fde352884@%3Cuser.ignite.apache.org%3E"}, {"name": "[ignite-dev] 20200603 RE: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdf37011b92a31a67c299ff45655e2638f194fc814e5c6e2fde352884@%3Cdev.ignite.apache.org%3E"}, {"name": "[ignite-dev] 20200605 Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf032a13a4711f88c0a2c0734eecbee1026cc1b6cde27d16a653f8755@%3Cdev.ignite.apache.org%3E"}, {"name": "[ignite-dev] 20200608 Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd43ae18588fd7bdb375be63bc95a651aab319ced6306759e1237ce67@%3Cdev.ignite.apache.org%3E"}, {"name": "[ignite-user] 20200609 Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r119024ef71c8d39f952df0950a275d09714715179aff544aea0129a3@%3Cuser.ignite.apache.org%3E"}, {"name": "[ignite-dev] 20200615 Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612d1a0fdd30beb94@%3Cdev.ignite.apache.org%3E"}, {"name": "[ignite-user] 20200615 Re: [CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612d1a0fdd30beb94@%3Cuser.ignite.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "https://lists.apache.org/thread.html/r1933faf8a26c431f38a5f8dbbfab80254454e54e33a79be474b67dc4%40%3Cdev.ignite.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r1933faf8a26c431f38a5f8dbbfab80254454e54e33a79be474b67dc4%40%3Cdev.ignite.apache.org%3E"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2020-1963", "datePublished": "2020-06-03T12:53:40", "dateReserved": "2019-12-02T00:00:00", "dateUpdated": "2022-02-07T14:40:34", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:ignite:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3E9C96C-44EA-4545-A3A4-4B13226E0620", "versionEndIncluding": "2.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Ignite uses H2 database to build SQL distributed execution engine. H2 provides SQL functions which could be used by attacker to access to a filesystem."}, {"lang": "es", "value": "Apache Ignite utiliza la base de datos H2 para construir el motor de ejecuci\u00f3n distribuida de SQL. H2 proporciona funciones SQL que el atacante podr\u00eda usar para acceder a un sistema de archivos."}], "id": "CVE-2020-1963", "lastModified": "2023-11-07T03:19:38.707", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-03T13:15:10.477", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/06/03/2"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r119024ef71c8d39f952df0950a275d09714715179aff544aea0129a3%40%3Cuser.ignite.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r1933faf8a26c431f38a5f8dbbfab80254454e54e33a79be474b67dc4%40%3Cdev.ignite.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rd43ae18588fd7bdb375be63bc95a651aab319ced6306759e1237ce67%40%3Cdev.ignite.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rdf37011b92a31a67c299ff45655e2638f194fc814e5c6e2fde352884%40%3Cdev.ignite.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rdf37011b92a31a67c299ff45655e2638f194fc814e5c6e2fde352884%40%3Cuser.ignite.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612d1a0fdd30beb94%40%3Cdev.ignite.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/re7b43cf8333ee30b6589e465f72a6ed4a082222612d1a0fdd30beb94%40%3Cuser.ignite.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rf032a13a4711f88c0a2c0734eecbee1026cc1b6cde27d16a653f8755%40%3Cdev.ignite.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Not Applicable", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}