ID

VAR-202009-1635


CVE

CVE-2020-11998


TITLE

Pillow Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

DESCRIPTION

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code." Mitigation: Upgrade to Apache ActiveMQ 5.15.13. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Apache ActiveMQ is a set of open source message middleware of the Apache Software Foundation in the United States. It supports Java message services, clusters, Spring Framework, etc. A security vulnerability exists in Apache ActiveMQ version 5.15.13. An attacker could exploit this vulnerability to execute arbitrary code

Trust: 1.53

sources: NVD: CVE-2020-11998 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-164632

AFFECTED PRODUCTS

vendor:oraclemodel:communications element managerscope:gteversion:8.2.0

Trust: 1.0

vendor:oraclemodel:communications session report managerscope:gteversion:8.0.0

Trust: 1.0

vendor:apachemodel:activemqscope:eqversion:5.15.12

Trust: 1.0

vendor:oraclemodel:flexcube private bankingscope:eqversion:12.0.0

Trust: 1.0

vendor:oraclemodel:communications element managerscope:lteversion:8.2.4.0

Trust: 1.0

vendor:oraclemodel:flexcube private bankingscope:eqversion:12.1.0

Trust: 1.0

vendor:oraclemodel:communications diameter signaling routerscope:gteversion:8.0.0

Trust: 1.0

vendor:oraclemodel:communications session route managerscope:gteversion:8.0.0

Trust: 1.0

vendor:oraclemodel:enterprise repositoryscope:eqversion:11.1.1.7.0

Trust: 1.0

vendor:oraclemodel:communications session report managerscope:lteversion:8.2.2

Trust: 1.0

vendor:oraclemodel:communications session route managerscope:lteversion:8.2.2

Trust: 1.0

vendor:oraclemodel:communications diameter signaling routerscope:lteversion:8.5.0

Trust: 1.0

sources: NVD: CVE-2020-11998

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-11998
value: CRITICAL

Trust: 1.0

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202009-680
value: CRITICAL

Trust: 0.6

VULHUB: VHN-164632
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-11998
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-164632
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-11998
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-164632 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202009-680 // NVD: CVE-2020-11998

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2020-11998

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-680

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:Apache ActiveMQ Fixes for code execution vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=128122

Trust: 0.6

sources: CNNVD: CNNVD-202009-680

EXTERNAL IDS

db:NVDid:CVE-2020-11998

Trust: 1.7

db:CNNVDid:CNNVD-202009-680

Trust: 0.7

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021072139

Trust: 0.6

db:CS-HELPid:SB2021042523

Trust: 0.6

db:CS-HELPid:SB2021072724

Trust: 0.6

db:NSFOCUSid:49920

Trust: 0.6

db:CNVDid:CNVD-2020-51792

Trust: 0.1

db:VULHUBid:VHN-164632

Trust: 0.1

sources: VULHUB: VHN-164632 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202009-680 // NVD: CVE-2020-11998

REFERENCES

url:https://www.oracle.com/security-alerts/cpuapr2021.html

Trust: 2.3

url:https://www.oracle.com/security-alerts/cpujan2021.html

Trust: 2.3

url:https://www.oracle.com/security-alerts/cpuoct2021.html

Trust: 2.3

url:http://activemq.apache.org/security-advisories.data/cve-2020-11998-announcement.txt

Trust: 1.7

url:https://www.oracle.com//security-alerts/cpujul2021.html

Trust: 1.7

url:https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3ccommits.activemq.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3ccommits.activemq.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d@%3ccommits.activemq.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7@%3ccommits.activemq.apache.org%3e

Trust: 0.7

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:http://www.nsfocus.net/vulndb/49920

Trust: 0.6

url:https://vigilance.fr/vulnerability/oracle-fusion-middleware-vulnerabilities-of-january-2021-34371

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-11998

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021042523

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021072724

Trust: 0.6

url:https://www.oracle.com/security-alerts/cpujul2021.html

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021072139

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-activemq-affect-ibm-operations-analytics-predictive-insights-cve-2020-11998-cve-2020-13920/

Trust: 0.6

sources: VULHUB: VHN-164632 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202009-680 // NVD: CVE-2020-11998

SOURCES

db:VULHUBid:VHN-164632
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202009-680
db:NVDid:CVE-2020-11998

LAST UPDATE DATE

2024-08-14T12:24:16.254000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-164632date:2021-12-10T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202009-680date:2021-10-21T00:00:00
db:NVDid:CVE-2020-11998date:2023-11-07T03:15:18.507

SOURCES RELEASE DATE

db:VULHUBid:VHN-164632date:2020-09-10T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202009-680date:2020-09-10T00:00:00
db:NVDid:CVE-2020-11998date:2020-09-10T19:15:13.083