CVE-2020-8144 - OpenCVE

The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware update information. If the version field contains ..\ character sequences, the destination file path to save the firmware can be manipulated to be outside the intended destination directory tree. Fixed in UniFi Video Controller v3.10.3 and newer.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:A/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows
Ui	Unifi Video

Configuration 1 [-]

AND

cpe:2.3:a:ui:unifi_video:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References

Link	Resource
https://community.ui.com/releases/Security-advisory-bulletin-006-006/3cf6264e-e0e6-4e26-a331-1d271f84673e	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2020-04-01T22:20:04

Updated: 2020-04-01T22:20:04

Reserved: 2020-01-28T00:00:00

Link: CVE-2020-8144

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-04-01T23:15:13.813

Modified: 2020-04-03T15:00:00.800

Link: CVE-2020-8144

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "UniFi Video Controller (for Windows 7/8/10 x64)", "vendor": "n/a", "versions": [{"status": "affected", "version": "v3.9.3 and prior are affected"}, {"status": "affected", "version": "Fixed in v3.10.3 and newer"}]}], "descriptions": [{"lang": "en", "value": "The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware update information. If the version field contains ..\\ character sequences, the destination file path to save the firmware can be manipulated to be outside the intended destination directory tree. Fixed in UniFi Video Controller v3.10.3 and newer."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Path Traversal (CWE-22)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-01T22:20:04", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://community.ui.com/releases/Security-advisory-bulletin-006-006/3cf6264e-e0e6-4e26-a331-1d271f84673e"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8144", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "UniFi Video Controller (for Windows 7/8/10 x64)", "version": {"version_data": [{"version_value": "v3.9.3 and prior are affected"}, {"version_value": "Fixed in v3.10.3 and newer"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware update information. If the version field contains ..\\ character sequences, the destination file path to save the firmware can be manipulated to be outside the intended destination directory tree. Fixed in UniFi Video Controller v3.10.3 and newer."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Path Traversal (CWE-22)"}]}]}, "references": {"reference_data": [{"name": "https://community.ui.com/releases/Security-advisory-bulletin-006-006/3cf6264e-e0e6-4e26-a331-1d271f84673e", "refsource": "CONFIRM", "url": "https://community.ui.com/releases/Security-advisory-bulletin-006-006/3cf6264e-e0e6-4e26-a331-1d271f84673e"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8144", "datePublished": "2020-04-01T22:20:04", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2020-04-01T22:20:04", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ui:unifi_video:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD1288F1-519E-4CE3-8627-5BB39BCDE0CA", "versionEndIncluding": "3.9.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware update information. If the version field contains ..\\ character sequences, the destination file path to save the firmware can be manipulated to be outside the intended destination directory tree. Fixed in UniFi Video Controller v3.10.3 and newer."}, {"lang": "es", "value": "La funcionalidad Firmware Update de la interfaz web de UniFi Video Server versiones v3.9.3 y anteriores (para Windows 7/8/10 x64), en determinadas circunstancias, no comprueba los destinos de descarga de firmware para garantizar que est\u00e9n dentro del \u00e1rbol de directorios de destino previsto. Acepta una petici\u00f3n con una URL para actualizar la informaci\u00f3n del firmware. Si el campo de versi\u00f3n contiene secuencias de caracteres ..\\, la ruta de archivo de destino para guardar el firmware puede ser manipulada para que est\u00e9 fuera del \u00e1rbol de directorios de destino previsto. Corregido en UniFi Video Controller versi\u00f3n v3.10.3 y m\u00e1s recientes."}], "id": "CVE-2020-8144", "lastModified": "2020-04-03T15:00:00.800", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.2, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-01T23:15:13.813", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://community.ui.com/releases/Security-advisory-bulletin-006-006/3cf6264e-e0e6-4e26-a331-1d271f84673e"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "support@hackerone.com", "type": "Secondary"}]}