CVE-2020-5341 - OpenCVE

Deserialization of Untrusted Data Vulnerability Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, 19.1 and 19.2 and Dell EMC Integrated Data Protection Appliance versions 2.0, 2.1, 2.2, 2.3, 2.4 and 2.4.1 contain a Deserialization of Untrusted Data Vulnerability. A remote unauthenticated attacker could exploit this vulnerability to send a serialized payload that would execute code on the system.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Dell	Emc Integrated Data Protection Appliance Firmware Emc Avamar Server

Configuration 1 [-]

OR	cpe:2.3:a:dell:emc_avamar_server:7.4.1:::::::*
	cpe:2.3:a:dell:emc_avamar_server:7.5.0:::::::*
	cpe:2.3:a:dell:emc_avamar_server:7.5.1:::::::*
	cpe:2.3:a:dell:emc_avamar_server:18.1:::::::*
	cpe:2.3:a:dell:emc_avamar_server:18.2:::::::*
	cpe:2.3:a:dell:emc_avamar_server:19.1:::::::*
	cpe:2.3:a:dell:emc_avamar_server:19.2:::::::*
	cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.0:::::::*
	cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.1:::::::*
	cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.2:::::::*
	cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.3:::::::*
	cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.4:::::::*
	cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.4.1:::::::*

References

Link	Resource
https://www.dell.com/support/security/en-us/details/541677/DSA-2020-057-Dell-EMC-Avamar-Server-Deserialization-of-Untrusted-Data-Vulnerability	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dell

Published: 2020-02-27T00:00:00

Updated: 2021-07-28T00:05:14

Reserved: 2020-01-03T00:00:00

Link: CVE-2020-5341

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-07-28T00:15:07.637

Modified: 2021-08-05T19:13:10.353

Link: CVE-2020-5341

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"containers": {"cna": {"affected": [{"product": "Avamar Virtual Edition", "vendor": "Dell", "versions": [{"lessThan": "Avamar 7.5 Virtual Edition for VMware vSphere only", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2020-02-27T00:00:00", "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data Vulnerability Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, 19.1 and 19.2 and Dell EMC Integrated Data Protection Appliance versions 2.0, 2.1, 2.2, 2.3, 2.4 and 2.4.1 contain a Deserialization of Untrusted Data Vulnerability. A remote unauthenticated attacker could exploit this vulnerability to send a serialized payload that would execute code on the system."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-28T00:05:14", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.dell.com/support/security/en-us/details/541677/DSA-2020-057-Dell-EMC-Avamar-Server-Deserialization-of-Untrusted-Data-Vulnerability"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@dell.com", "DATE_PUBLIC": "2020-02-27", "ID": "CVE-2020-5341", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Avamar Virtual Edition", "version": {"version_data": [{"version_affected": "<", "version_value": "Avamar 7.5 Virtual Edition for VMware vSphere only"}]}}]}, "vendor_name": "Dell"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Deserialization of Untrusted Data Vulnerability Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, 19.1 and 19.2 and Dell EMC Integrated Data Protection Appliance versions 2.0, 2.1, 2.2, 2.3, 2.4 and 2.4.1 contain a Deserialization of Untrusted Data Vulnerability. A remote unauthenticated attacker could exploit this vulnerability to send a serialized payload that would execute code on the system."}]}, "impact": {"cvss": {"baseScore": 9.8, "baseSeverity": "Critical", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502: Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://www.dell.com/support/security/en-us/details/541677/DSA-2020-057-Dell-EMC-Avamar-Server-Deserialization-of-Untrusted-Data-Vulnerability", "refsource": "MISC", "url": "https://www.dell.com/support/security/en-us/details/541677/DSA-2020-057-Dell-EMC-Avamar-Server-Deserialization-of-Untrusted-Data-Vulnerability"}]}}}}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2020-5341", "datePublished": "2020-02-27T00:00:00", "dateReserved": "2020-01-03T00:00:00", "dateUpdated": "2021-07-28T00:05:14", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:emc_avamar_server:7.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "D31DB2E9-502A-4097-B7D0-01BD33CB5DC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_avamar_server:7.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "2505F76D-6AB8-489A-AB9D-9069B9A9025E", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_avamar_server:7.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "B5714A80-1068-4C43-AF9F-2176C72D1416", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_avamar_server:18.1:*:*:*:*:*:*:*", "matchCriteriaId": "ABDC11FA-A04A-4578-99BA-D6A2AE0051A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_avamar_server:18.2:*:*:*:*:*:*:*", "matchCriteriaId": "52BE822E-6FD6-4FC8-9DFC-A4073D31B58C", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_avamar_server:19.1:*:*:*:*:*:*:*", "matchCriteriaId": "D055384E-1362-43FC-BD4C-9FAED912FE1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_avamar_server:19.2:*:*:*:*:*:*:*", "matchCriteriaId": "AB61C3E2-E97A-48FA-BECE-3593B77C1386", "vulnerable": true}, {"criteria": "cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "5C133A08-973B-43E2-8E0C-9B7AEF467BDD", "vulnerable": true}, {"criteria": "cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "889D0DDB-7D31-4AE9-972A-AE14CC2A82BF", "vulnerable": true}, {"criteria": "cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.2:*:*:*:*:*:*:*", "matchCriteriaId": "970D60B9-9DAD-4F1D-BFBE-BB069756011C", "vulnerable": true}, {"criteria": "cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.3:*:*:*:*:*:*:*", "matchCriteriaId": "1335A62E-B8AB-4D72-A8CE-D2E79EFC42A3", "vulnerable": true}, {"criteria": "cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.4:*:*:*:*:*:*:*", "matchCriteriaId": "7B70F149-1646-4D04-A693-A6263011540D", "vulnerable": true}, {"criteria": "cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "56CA7E2E-33D7-48CE-9AAF-2474933BE95B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data Vulnerability Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, 19.1 and 19.2 and Dell EMC Integrated Data Protection Appliance versions 2.0, 2.1, 2.2, 2.3, 2.4 and 2.4.1 contain a Deserialization of Untrusted Data Vulnerability. A remote unauthenticated attacker could exploit this vulnerability to send a serialized payload that would execute code on the system."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables Las versiones 7.4.1, 7.5.0, 7.5.1, 18.2, 19.1 y 19.2 de Dell EMC Avamar Server y las versiones 2.0, 2.1, 2.2, 2.3, 2.4 y 2.4.1 de Dell EMC Integrated Data Protection Appliance contienen una vulnerabilidad de deserializaci\u00f3n de datos no confiables. Un atacante remoto no autenticado podr\u00eda aprovechar esta vulnerabilidad para enviar una carga \u00fatil serializada que ejecutar\u00eda c\u00f3digo en el sistema."}], "id": "CVE-2020-5341", "lastModified": "2021-08-05T19:13:10.353", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2021-07-28T00:15:07.637", "references": [{"source": "security_alert@emc.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.dell.com/support/security/en-us/details/541677/DSA-2020-057-Dell-EMC-Avamar-Server-Deserialization-of-Untrusted-Data-Vulnerability"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "security_alert@emc.com", "type": "Secondary"}]}