CVE-2020-24640 - OpenCVE

There is a vulnerability caused by insufficient input validation that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete compromise of the underlying host operating system.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Arubanetworks	Airwave Glass

Configuration 1 [-]

cpe:2.3:a:arubanetworks:airwave_glass:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-001.txt	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hpe

Published: 2021-01-15T18:48:35

Updated: 2021-01-15T18:48:35

Reserved: 2020-08-25T00:00:00

Link: CVE-2020-24640

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-01-15T19:15:13.657

Modified: 2021-01-21T16:20:55.547

Link: CVE-2020-24640

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Aruba AirWave Glass Software", "vendor": "n/a", "versions": [{"status": "affected", "version": "Prior to 1.3.3"}]}], "descriptions": [{"lang": "en", "value": "There is a vulnerability caused by insufficient input validation that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete compromise of the underlying host operating system."}], "problemTypes": [{"descriptions": [{"description": "Unauthenticated Arbitrary Command Execution in Web Administrative Interface", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-15T18:48:35", "orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-001.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-alert@hpe.com", "ID": "CVE-2020-24640", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Aruba AirWave Glass Software", "version": {"version_data": [{"version_value": "Prior to 1.3.3"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "There is a vulnerability caused by insufficient input validation that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete compromise of the underlying host operating system."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Unauthenticated Arbitrary Command Execution in Web Administrative Interface"}]}]}, "references": {"reference_data": [{"name": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-001.txt", "refsource": "MISC", "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-001.txt"}]}}}}, "cveMetadata": {"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "assignerShortName": "hpe", "cveId": "CVE-2020-24640", "datePublished": "2021-01-15T18:48:35", "dateReserved": "2020-08-25T00:00:00", "dateUpdated": "2021-01-15T18:48:35", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arubanetworks:airwave_glass:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5440D98-25CE-48A1-8481-155B6C0CEBB0", "versionEndExcluding": "1.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "There is a vulnerability caused by insufficient input validation that allows for arbitrary command execution in a containerized environment within Airwave Glass before 1.3.3. Successful exploitation can lead to complete compromise of the underlying host operating system."}, {"lang": "es", "value": "Se presenta una vulnerabilidad causada por una comprobaci\u00f3n insuficiente de entrada que permite una ejecuci\u00f3n de comandos arbitrarios en un entorno de contenedores dentro de Airwave Glass versiones anteriores a 1.3.3. Una explotaci\u00f3n con \u00e9xito puede conllevar a un compromiso completo del sistema operativo host subyacente"}], "id": "CVE-2020-24640", "lastModified": "2021-01-21T16:20:55.547", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-15T19:15:13.657", "references": [{"source": "security-alert@hpe.com", "tags": ["Vendor Advisory"], "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-001.txt"}], "sourceIdentifier": "security-alert@hpe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}