CVE-2020-36628 - OpenCVE

A vulnerability classified as critical has been found in Calsign APDE. This affects the function handleExtract of the file APDE/src/main/java/com/calsignlabs/apde/build/dag/CopyBuildTask.java of the component ZIP File Handler. The manipulation leads to path traversal. Upgrading to version 0.5.2-pre2-alpha is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216747.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Android Processing Development Environment Project	Android Processing Development Environment

Configuration 1 [-]

OR	cpe:2.3:a:android_processing_development_environment_project:android_processing_development_environment::::::android::*
	cpe:2.3:a:android_processing_development_environment_project:android_processing_development_environment:0.5.2:pre1_alpha::::android::*

References

Link	Resource
https://github.com/Calsign/APDE/commit/c6d64cbe465348c1bfd211122d89e3117afadecf	Patch Third Party Advisory
https://github.com/Calsign/APDE/releases/tag/v0.5.2-pre2-alpha	Release Notes Third Party Advisory
https://vuldb.com/?id.216747	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: VulDB

Published: 2022-12-25T10:19:53.152Z

Updated:

Reserved: 2022-12-24T10:40:32.917Z

Link: CVE-2020-36628

JSON object: View

NVD Information

Status : Modified

Published: 2022-12-25T11:15:10.763

Modified: 2024-05-17T01:48:52.180

Link: CVE-2020-36628

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2020-36628", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2022-12-24T10:40:32.917Z", "datePublished": "2022-12-25T10:19:53.152Z"}, "containers": {"cna": {"title": "Calsign APDE ZIP File CopyBuildTask.java handleExtract path traversal", "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2022-12-25T10:19:53.152Z"}, "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Path Traversal"}]}], "affected": [{"vendor": "Calsign", "product": "APDE", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["ZIP File Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in Calsign APDE. This affects the function handleExtract of the file APDE/src/main/java/com/calsignlabs/apde/build/dag/CopyBuildTask.java of the component ZIP File Handler. The manipulation leads to path traversal. Upgrading to version 0.5.2-pre2-alpha is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216747."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in Calsign APDE entdeckt. Sie wurde als kritisch eingestuft. Es geht dabei um die Funktion handleExtract der Datei APDE/src/main/java/com/calsignlabs/apde/build/dag/CopyBuildTask.java der Komponente ZIP File Handler. Durch die Manipulation mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Ein Aktualisieren auf die Version 0.5.2-pre2-alpha vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}], "timeline": [{"time": "2022-12-24T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2022-12-24T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2022-12-24T11:46:31.000Z", "lang": "en", "value": "VulDB last update"}], "references": [{"url": "https://vuldb.com/?id.216747", "tags": ["technical-description", "vdb-entry"]}, {"url": "https://github.com/Calsign/APDE/commit/c6d64cbe465348c1bfd211122d89e3117afadecf", "tags": ["mitigation"]}, {"url": "https://github.com/Calsign/APDE/releases/tag/v0.5.2-pre2-alpha", "tags": ["mitigation"]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:android_processing_development_environment_project:android_processing_development_environment:*:*:*:*:*:android:*:*", "matchCriteriaId": "69E22EA1-7C82-4F29-8BC0-A642B063CBDC", "versionEndExcluding": "0.5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:android_processing_development_environment_project:android_processing_development_environment:0.5.2:pre1_alpha:*:*:*:android:*:*", "matchCriteriaId": "E8315D57-8F8F-431C-A74B-5523BA512004", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in Calsign APDE. This affects the function handleExtract of the file APDE/src/main/java/com/calsignlabs/apde/build/dag/CopyBuildTask.java of the component ZIP File Handler. The manipulation leads to path traversal. Upgrading to version 0.5.2-pre2-alpha is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216747."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en Calsign APDE y clasificada como cr\u00edtica. Esto afecta a la funci\u00f3n handleExtract del archivo APDE/src/main/java/com/calsignlabs/apde/build/dag/CopyBuildTask.java del componente ZIP File Handler. La manipulaci\u00f3n conduce a path traversal. La actualizaci\u00f3n a la versi\u00f3n 0.5.2-pre2-alpha puede solucionar este problema. Se recomienda actualizar el componente afectado. El identificador asociado de esta vulnerabilidad es VDB-216747."}], "id": "CVE-2020-36628", "lastModified": "2024-05-17T01:48:52.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2022-12-25T11:15:10.763", "references": [{"source": "cna@vuldb.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Calsign/APDE/commit/c6d64cbe465348c1bfd211122d89e3117afadecf"}, {"source": "cna@vuldb.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/Calsign/APDE/releases/tag/v0.5.2-pre2-alpha"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.216747"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cna@vuldb.com", "type": "Primary"}]}