CVE-2020-2505 - OpenCVE

If exploited, this vulnerability could allow attackers to gain sensitive information via generation of error messages. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Qnap	Qes

Configuration 1 [-]

OR	cpe:2.3:a:qnap:qes::::::::
	cpe:2.3:a:qnap:qes:2.1.1:-::::::
	cpe:2.3:a:qnap:qes:2.1.1:build_20200211::::::
	cpe:2.3:a:qnap:qes:2.1.1:build_20200303::::::
	cpe:2.3:a:qnap:qes:2.1.1:build_20200319::::::
	cpe:2.3:a:qnap:qes:2.1.1:build_20200424::::::
	cpe:2.3:a:qnap:qes:2.1.1:build_20200515::::::
	cpe:2.3:a:qnap:qes:2.1.1:build_20200811::::::

References

Link	Resource
https://www.qnap.com/zh-tw/security-advisory/qsa-20-17	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: qnap

Published: 2020-12-23T00:00:00

Updated: 2020-12-31T16:33:28

Reserved: 2019-12-09T00:00:00

Link: CVE-2020-2505

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-12-24T02:15:12.750

Modified: 2020-12-28T14:42:11.550

Link: CVE-2020-2505

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"platforms": ["build 20201006"], "product": "QES", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "2.1.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "TIM Security Red Team Research"}], "datePublic": "2020-12-23T00:00:00", "descriptions": [{"lang": "en", "value": "If exploited, this vulnerability could allow attackers to gain sensitive information via generation of error messages. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 Information Exposure Through an Error Message", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-755", "description": "CWE-755 Improper Handling of Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-31T16:33:28", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-17"}], "solutions": [{"lang": "en", "value": "QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later."}], "source": {"advisory": "QSA-20-17", "discovery": "EXTERNAL"}, "title": " Sensitive information via generation of error messages vulnerability in QES", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@qnap.com", "DATE_PUBLIC": "2020-12-23T05:49:00.000Z", "ID": "CVE-2020-2505", "STATE": "PUBLIC", "TITLE": " Sensitive information via generation of error messages vulnerability in QES"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "QES", "version": {"version_data": [{"platform": "build 20201006", "version_affected": "<", "version_value": "2.1.1"}]}}]}, "vendor_name": "QNAP Systems Inc."}]}}, "credit": [{"lang": "eng", "value": "TIM Security Red Team Research"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "If exploited, this vulnerability could allow attackers to gain sensitive information via generation of error messages. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-209 Information Exposure Through an Error Message"}]}, {"description": [{"lang": "eng", "value": "CWE-755 Improper Handling of Exceptional Conditions"}]}]}, "references": {"reference_data": [{"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-17", "refsource": "MISC", "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-17"}]}, "solution": [{"lang": "en", "value": "QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later."}], "source": {"advisory": "QSA-20-17", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2020-2505", "datePublished": "2020-12-23T00:00:00", "dateReserved": "2019-12-09T00:00:00", "dateUpdated": "2020-12-31T16:33:28", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:qes:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5DBF31A-5D26-4C7D-8E69-31061FC16C6D", "versionEndExcluding": "2.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qes:2.1.1:-:*:*:*:*:*:*", "matchCriteriaId": "B075440F-4DEA-494D-AE27-1182CA4889D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qes:2.1.1:build_20200211:*:*:*:*:*:*", "matchCriteriaId": "67632014-C383-490C-B048-4DFE88AD3F30", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qes:2.1.1:build_20200303:*:*:*:*:*:*", "matchCriteriaId": "AF83A348-E7B1-4008-8313-9F28B9A9B020", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qes:2.1.1:build_20200319:*:*:*:*:*:*", "matchCriteriaId": "AAF45709-BE55-45A4-8DD1-0D3E417D8382", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qes:2.1.1:build_20200424:*:*:*:*:*:*", "matchCriteriaId": "7C956E79-D019-4AE3-BB65-9A70282CD780", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qes:2.1.1:build_20200515:*:*:*:*:*:*", "matchCriteriaId": "DB21A827-5B92-468F-9BD0-09EB3E8A2ED4", "vulnerable": true}, {"criteria": "cpe:2.3:a:qnap:qes:2.1.1:build_20200811:*:*:*:*:*:*", "matchCriteriaId": "DA11F0F0-236A-4A24-9AF7-DC8E78D5AA3C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "If exploited, this vulnerability could allow attackers to gain sensitive information via generation of error messages. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later."}, {"lang": "es", "value": "Si se explota, esta vulnerabilidad podr\u00eda permitir a atacantes obtener informaci\u00f3n confidencial por medio de la generaci\u00f3n de mensajes de error. QNAP ya ha corregido estos problemas en QES versiones 2.1.1 Build 20201006 y posteriores"}], "id": "CVE-2020-2505", "lastModified": "2020-12-28T14:42:11.550", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 1.4, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}, "published": "2020-12-24T02:15:12.750", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-17"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-209"}, {"lang": "en", "value": "CWE-755"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}