CVE-2020-1732

A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly Elytron which can lead to the possibility of being handled using the identity from another request.

CVSS v3 4.2 MEDIUM
CVSS v2.0 4.9 MEDIUM

4.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

4.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:N

Exploitability : 6.8 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1732	Issue Tracking Patch Vendor Advisory
https://github.com/wildfly-security/soteria/commit/c2479f8c39d7d661341fdcaff7f5e97c5eea1a54	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:soteria:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform_continuous_delivery:-:::::::*
	cpe:2.3:a:redhat:openshift_application_runtimes:-:::::::*

History

No history.

Information

Published : 2020-05-04 17:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-1732

Mitre link : CVE-2020-1732

CVE.ORG link : CVE-2020-1732

JSON object : View

Products Affected

redhat

jboss_enterprise_application_platform_continuous_delivery
openshift_application_runtimes
soteria
jboss_enterprise_application_platform

CWE

CWE-20

Improper Input Validation

CWE-284

Improper Access Control

{"id": "CVE-2020-1732", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.9, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.6}, {"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.6}]}, "published": "2020-05-04T17:15:12.357", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1732", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/wildfly-security/soteria/commit/c2479f8c39d7d661341fdcaff7f5e97c5eea1a54", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly Elytron which can lead to the possibility of being handled using the identity from another request."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en Soteria versiones anteriores a la versi\u00f3n 1.0.1, en un modo en el que m\u00faltiples peticiones pueden ocurrir simult\u00e1neamente causan una corrupci\u00f3n de identidad de seguridad por medio de subprocesos (hilos) concurrentes cuando se usa EE Security con WildFly Elytron, lo que puede conllevar a una posibilidad de que se maneje usando la identidad de otra petici\u00f3n ."}], "lastModified": "2023-11-07T03:19:30.467", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:soteria:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4045E651-4CE2-463E-90EC-62ED2B5E488F", "versionEndExcluding": "1.0.1"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A"}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform_continuous_delivery:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BEFE06C8-4BF0-4EC0-A848-BF16CFCCDA57"}, {"criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}