CVE-2020-7851 - OpenCVE

Innorix Web-Based File Transfer Solution versuibs prior to and including 9.2.18.385 contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the internal method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Linux	Linux Kernel
Innorix	File Transfer Solution
Microsoft	Windows
Apple	Macos

Configuration 1 [-]

AND

cpe:2.3:a:innorix:file_transfer_solution:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

References

Link	Resource
https://www.innorix.com/ko/	Product Vendor Advisory
https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35984	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: krcert

Published: 2021-03-30T00:00:00

Updated: 2021-04-19T12:55:36

Reserved: 2020-01-22T00:00:00

Link: CVE-2020-7851

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-04-19T13:15:14.980

Modified: 2021-04-23T13:28:41.873

Link: CVE-2020-7851

JSON object: View

Redhat Information

No data.

CWE

CWE-88

{"containers": {"cna": {"affected": [{"platforms": ["x86, x64, Linux, Mac"], "product": "INNORIX Agent.exe", "vendor": "INNORIX", "versions": [{"lessThanOrEqual": "9.2.18.382", "status": "affected", "version": "9.2.18.390", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Thanks to Hyeonjin Ko for reporting this vulnerability."}], "datePublic": "2021-03-30T00:00:00", "descriptions": [{"lang": "en", "value": "Innorix Web-Based File Transfer Solution versuibs prior to and including 9.2.18.385 contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the internal method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "description": "CWE-88 Argument Injection or Modification", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-19T12:55:36", "orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863", "shortName": "krcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35984"}, {"tags": ["x_refsource_MISC"], "url": "https://www.innorix.com/ko/"}], "solutions": [{"lang": "en", "value": "Update software over 9.2.18.382 version or higher."}], "source": {"discovery": "EXTERNAL"}, "title": "Innorix File Transfer Solution File Download and Execution Vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vuln@krcert.or.kr", "DATE_PUBLIC": "2021-03-30T08:42:00.000Z", "ID": "CVE-2020-7851", "STATE": "PUBLIC", "TITLE": "Innorix File Transfer Solution File Download and Execution Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "INNORIX Agent.exe", "version": {"version_data": [{"platform": "x86, x64, Linux, Mac", "version_affected": "<=", "version_name": "9.2.18.390", "version_value": "9.2.18.382"}]}}]}, "vendor_name": "INNORIX"}]}}, "credit": [{"lang": "eng", "value": "Thanks to Hyeonjin Ko for reporting this vulnerability."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Innorix Web-Based File Transfer Solution versuibs prior to and including 9.2.18.385 contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the internal method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-88 Argument Injection or Modification"}]}]}, "references": {"reference_data": [{"name": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35984", "refsource": "MISC", "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35984"}, {"name": "https://www.innorix.com/ko/", "refsource": "MISC", "url": "https://www.innorix.com/ko/"}]}, "solution": [{"lang": "en", "value": "Update software over 9.2.18.382 version or higher."}], "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863", "assignerShortName": "krcert", "cveId": "CVE-2020-7851", "datePublished": "2021-03-30T00:00:00", "dateReserved": "2020-01-22T00:00:00", "dateUpdated": "2021-04-19T12:55:36", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:innorix:file_transfer_solution:*:*:*:*:*:*:*:*", "matchCriteriaId": "795E83D4-721C-4E91-9D62-087E71D3D9A5", "versionEndExcluding": "9.2.18.382", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Innorix Web-Based File Transfer Solution versuibs prior to and including 9.2.18.385 contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the internal method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection."}, {"lang": "es", "value": "Innorix Web-Based File Transfer Solution, versiones anteriores a 9.2.18.385 incluy\u00e9ndola, contiene una vulnerabilidad que podr\u00eda permitir que archivos remotos sean descargados y ejecutados al ajustar los argumentos en el m\u00e9todo interno. Un atacante remoto podr\u00eda inducir a un usuario a acceder a una p\u00e1gina web dise\u00f1ada, causando da\u00f1os tales como una infecci\u00f3n de c\u00f3digo malicioso"}], "id": "CVE-2020-7851", "lastModified": "2021-04-23T13:28:41.873", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "vuln@krcert.or.kr", "type": "Secondary"}]}, "published": "2021-04-19T13:15:14.980", "references": [{"source": "vuln@krcert.or.kr", "tags": ["Product", "Vendor Advisory"], "url": "https://www.innorix.com/ko/"}, {"source": "vuln@krcert.or.kr", "tags": ["Third Party Advisory"], "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35984"}], "sourceIdentifier": "vuln@krcert.or.kr", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-88"}], "source": "vuln@krcert.or.kr", "type": "Secondary"}]}