CVE-2020-14319

It was found that the AMQ Online console is vulnerable to a Cross-Site Request Forgery (CSRF) which is exploitable in cases where preflight checks are not instigated or bypassed. For example authorised users using an older browser with Adobe Flash are vulnerable when targeted by an attacker. This flaw affects all versions of AMQ-Online prior to 1.5.2 and Enmasse versions 0.31.0-rc1 up until but not including 0.32.2.

CVSS v3 5.9 MEDIUM
CVSS v2.0 4.0 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:H/Au:N/C:N/I:P/A:P

Exploitability : 4.9 / Impact : 4.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1854373	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:amq_online::::::::
	cpe:2.3:a:redhat:enmasse::::::::

History

No history.

Information

Published : 2020-08-03 17:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-14319

Mitre link : CVE-2020-14319

CVE.ORG link : CVE-2020-14319

JSON object : View

Products Affected

redhat

amq_online
enmasse

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2020-14319", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 1.6}]}, "published": "2020-08-03T17:15:11.730", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1854373", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "It was found that the AMQ Online console is vulnerable to a Cross-Site Request Forgery (CSRF) which is exploitable in cases where preflight checks are not instigated or bypassed. For example authorised users using an older browser with Adobe Flash are vulnerable when targeted by an attacker. This flaw affects all versions of AMQ-Online prior to 1.5.2 and Enmasse versions 0.31.0-rc1 up until but not including 0.32.2."}, {"lang": "es", "value": "Se encontr\u00f3 que la consola AMQ Online es susceptible a una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) que es explotable en casos donde la comprobaciones preflight que no son instigadas ni omitidas. Por ejemplo, los usuarios autorizados que usan un navegador antiguo con Adobe Flash son vulnerables cuando son apuntados por un atacante. Este fallo afecta a todas las versiones de AMQ-Online anteriores a 1.5.2 y Enmasse versiones 0.31.0-rc1 hasta pero sin incluir la versi\u00f3n 0.32.2"}], "lastModified": "2020-08-12T14:16:48.007", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:amq_online:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D7550A08-6C95-4C22-9B4F-711E17E3AED4", "versionEndExcluding": "1.5.2"}, {"criteria": "cpe:2.3:a:redhat:enmasse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A157C020-FF86-4A1C-9DFE-5F0317EACCAF", "versionEndExcluding": "0.32.2"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}