CVE-2020-5366

Dell EMC iDRAC9 versions prior to 4.20.20.20 contain a Path Traversal Vulnerability. A remote authenticated malicious user with low privileges could potentially exploit this vulnerability by manipulating input parameters to gain unauthorized read access to the arbitrary files.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.dell.com/support/article/en-us/sln322125/dsa-2020-128-idrac-local-file-inclusion-vulnerability?lang=en	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dell:idrac9_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:idrac9:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-07-09 14:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-5366

Mitre link : CVE-2020-5366

CVE.ORG link : CVE-2020-5366

JSON object : View

Products Affected

dell

idrac9_firmware
idrac9

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2020-5366", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security_alert@emc.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2020-07-09T14:15:10.793", "references": [{"url": "https://www.dell.com/support/article/en-us/sln322125/dsa-2020-128-idrac-local-file-inclusion-vulnerability?lang=en", "tags": ["Vendor Advisory"], "source": "security_alert@emc.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "security_alert@emc.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Dell EMC iDRAC9 versions prior to 4.20.20.20 contain a Path Traversal Vulnerability. A remote authenticated malicious user with low privileges could potentially exploit this vulnerability by manipulating input parameters to gain unauthorized read access to the arbitrary files."}, {"lang": "es", "value": "Dell EMC iDRAC9 versiones anteriores a 4.20.20.20, contienen una vulnerabilidad de Salto de Ruta. Un usuario malicioso autenticado remoto con pocos privilegios podr\u00eda explotar esta vulnerabilidad al manipular los par\u00e1metros de entrada para conseguir acceso de lectura no autorizado a los archivos arbitrarios"}], "lastModified": "2020-07-15T18:18:35.463", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dell:idrac9_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B64D591-31BA-4D2F-B5A4-00529C25EDC7", "versionEndExcluding": "4.20.20.20"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dell:idrac9:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BD8B684E-092F-496C-9D94-51CCD1F3575A"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security_alert@emc.com"}