Details of VAR-202102-0542

ID

VAR-202102-0542

CVE

CVE-2020-9205

TITLE

ManageOne In CSV Vulnerability in neutralizing mathematical elements in files

Trust: 0.8

sources: JVNDB: JVNDB-2020-015934

DESCRIPTION

There has a CSV injection vulnerability in ManageOne 8.0.1. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device. ManageOne Has CSV A vulnerability exists regarding the neutralization of mathematical elements in files.Information may be tampered with. Huawei Manageone is a set of cloud data center management solutions of China Huawei (Huawei). The product supports unified management of heterogeneous cloud resource pools, and provides functions such as multi-level VDC matching customer organization model, service catalog planning, self-service, centralized alarm analysis, and intelligent operation and maintenance. Injection vulnerabilities exist in ManageOne products. Huawei ManageOne could allow a remote authenticated malicious user to execute arbitrary code on the system, caused by a CSV injection vulnerability

Trust: 1.8

sources: NVD: CVE-2020-9205 // JVNDB: JVNDB-2020-015934 // VULHUB: VHN-187330 // VULMON: CVE-2020-9205

AFFECTED PRODUCTS

vendor:	huawei	model:	manageone	scope:	eq	version:	8.0.1	Trust: 1.8
vendor:	huawei	model:	manageone	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-015934 // NVD: CVE-2020-9205

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-9205
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-9205
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202101-2474
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-187330
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-9205
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-187330
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-9205
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2020-9205
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-187330 // JVNDB: JVNDB-2020-015934 // CNNVD: CNNVD-202101-2474 // NVD: CVE-2020-9205

PROBLEMTYPE DATA

problemtype:	CWE-1236	Trust: 1.0
problemtype:	CSV Improper neutralization of mathematical elements in the file (CWE-1236) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-015934 // NVD: CVE-2020-9205

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202101-2474

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-202101-2474

PATCH

title:	huawei-sa-20210127-01-csvinjection	url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210127-01-csvinjection-en	Trust: 0.8
title:	Huawei ManageOne Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=140080	Trust: 0.6

sources: JVNDB: JVNDB-2020-015934 // CNNVD: CNNVD-202101-2474

EXTERNAL IDS

db:	NVD	id:	CVE-2020-9205	Trust: 2.6
db:	JVNDB	id:	JVNDB-2020-015934	Trust: 0.8
db:	CNNVD	id:	CNNVD-202101-2474	Trust: 0.7
db:	VULHUB	id:	VHN-187330	Trust: 0.1
db:	VULMON	id:	CVE-2020-9205	Trust: 0.1

sources: VULHUB: VHN-187330 // VULMON: CVE-2020-9205 // JVNDB: JVNDB-2020-015934 // CNNVD: CNNVD-202101-2474 // NVD: CVE-2020-9205

REFERENCES

url:	https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20210127-01-csvinjection-en	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-9205	Trust: 1.4
url:	https://www.huawei.com/cn/psirt/security-advisories/huawei-sa-20210127-01-csvinjection-cn	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/195759	Trust: 0.1

sources: VULHUB: VHN-187330 // VULMON: CVE-2020-9205 // JVNDB: JVNDB-2020-015934 // CNNVD: CNNVD-202101-2474 // NVD: CVE-2020-9205

SOURCES

db:	VULHUB	id:	VHN-187330
db:	VULMON	id:	CVE-2020-9205
db:	JVNDB	id:	JVNDB-2020-015934
db:	CNNVD	id:	CNNVD-202101-2474
db:	NVD	id:	CVE-2020-9205

LAST UPDATE DATE

2024-11-23T22:25:11.758000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-187330	date:	2021-02-10T00:00:00
db:	VULMON	id:	CVE-2020-9205	date:	2021-02-10T00:00:00
db:	JVNDB	id:	JVNDB-2020-015934	date:	2021-10-25T07:49:00
db:	CNNVD	id:	CNNVD-202101-2474	date:	2021-02-18T00:00:00
db:	NVD	id:	CVE-2020-9205	date:	2024-11-21T05:40:09.517

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-187330	date:	2021-02-06T00:00:00
db:	VULMON	id:	CVE-2020-9205	date:	2021-02-06T00:00:00
db:	JVNDB	id:	JVNDB-2020-015934	date:	2021-10-25T00:00:00
db:	CNNVD	id:	CNNVD-202101-2474	date:	2021-01-27T00:00:00
db:	NVD	id:	CVE-2020-9205	date:	2021-02-06T02:15:12.540