Details of VAR-202101-0068

ID

VAR-202101-0068

CVE

CVE-2020-11997

TITLE

Apache Guacamole Inappropriate Default Permission Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-015475

DESCRIPTION

Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users. Apache Guacamole Is vulnerable to incorrect default permissions.Information may be obtained. Apache Guacamole is a clientless remote desktop gateway of the Apache Foundation. The product supports protocols such as VNC, RDP and SSH. An information disclosure vulnerability exists in Apache Guacamole 1.2.0 and earlier versions. No detailed vulnerability details are currently provided

Trust: 2.16

sources: NVD: CVE-2020-11997 // JVNDB: JVNDB-2020-015475 // CNVD: CNVD-2021-11840

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-11840

AFFECTED PRODUCTS

vendor:	apache	model:	guacamole	scope:	lte	version:	1.2.0	Trust: 1.0
vendor:	apache	model:	guacamole	scope:	eq	version:	-	Trust: 0.8
vendor:	apache	model:	guacamole	scope:	lte	version:	1.2.0 and earlier	Trust: 0.8
vendor:	apache	model:	guacamole	scope:	lte	version:	<=1.2.0	Trust: 0.6

sources: CNVD: CNVD-2021-11840 // JVNDB: JVNDB-2020-015475 // NVD: CVE-2020-11997

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-11997
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-11997
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-11840
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202101-1500
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2020-11997
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2021-11840
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-11997
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2020-11997
baseSeverity:	MEDIUM
baseScore:	4.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-11840 // JVNDB: JVNDB-2020-015475 // CNNVD: CNNVD-202101-1500 // NVD: CVE-2020-11997

PROBLEMTYPE DATA

problemtype:	CWE-276	Trust: 1.0
problemtype:	Inappropriate default permissions (CWE-276) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-015475 // NVD: CVE-2020-11997

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-1500

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202101-1500

PATCH

title:	Inconsistent restriction of connection history visibility	url:	https://lists.apache.org/thread.html/r1a9ae9d1608c9f846875c4191cd738f95543d1be06b52dc1320e8117%40%3Cannounce.guacamole.apache.org%3E	Trust: 0.8
title:	Patch for Unidentified vulnerabilities in Apache Guacamole	url:	https://www.cnvd.org.cn/patchInfo/show/248726	Trust: 0.6
title:	Apache Guacamole Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=139766	Trust: 0.6

sources: CNVD: CNVD-2021-11840 // JVNDB: JVNDB-2020-015475 // CNNVD: CNNVD-202101-1500

EXTERNAL IDS

db:	NVD	id:	CVE-2020-11997	Trust: 3.0
db:	JVNDB	id:	JVNDB-2020-015475	Trust: 0.8
db:	CNVD	id:	CNVD-2021-11840	Trust: 0.6
db:	CNNVD	id:	CNNVD-202101-1500	Trust: 0.6

sources: CNVD: CNVD-2021-11840 // JVNDB: JVNDB-2020-015475 // CNNVD: CNNVD-202101-1500 // NVD: CVE-2020-11997

REFERENCES

url:	https://lists.apache.org/thread.html/r1a9ae9d1608c9f846875c4191cd738f95543d1be06b52dc1320e8117%40%3cannounce.guacamole.apache.org%3e	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-11997	Trust: 1.4

sources: CNVD: CNVD-2021-11840 // JVNDB: JVNDB-2020-015475 // CNNVD: CNNVD-202101-1500 // NVD: CVE-2020-11997

SOURCES

db:	CNVD	id:	CNVD-2021-11840
db:	JVNDB	id:	JVNDB-2020-015475
db:	CNNVD	id:	CNNVD-202101-1500
db:	NVD	id:	CVE-2020-11997

LAST UPDATE DATE

2024-11-23T22:16:10.338000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-11840	date:	2021-02-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-015475	date:	2021-09-27T08:52:00
db:	CNNVD	id:	CNNVD-202101-1500	date:	2021-01-25T00:00:00
db:	NVD	id:	CVE-2020-11997	date:	2024-11-21T04:59:04.907

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-11840	date:	2021-02-22T00:00:00
db:	JVNDB	id:	JVNDB-2020-015475	date:	2021-09-27T00:00:00
db:	CNNVD	id:	CNNVD-202101-1500	date:	2021-01-19T00:00:00
db:	NVD	id:	CVE-2020-11997	date:	2021-01-19T22:15:12.317