CVE-2020-24614 — Missing Authorization in Fossil

CWE-862 — Missing Authorization CWE-94 — Code Injection7 documents6 sources

Severity

8.8HIGHNVD

EPSS

6.4%

top 8.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fossil-scm Fossil Fedoraproject Fedora Opensuse Backports SLE +1 more

Timeline

PublishedAug 25

Latest updateMay 24

Description

Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows remote authenticated users to execute arbitrary code. An attacker must have check-in privileges on the repository.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDfossil-scm/fossil2.11.0 — 2.11.2+2

▶Debianfossil-scm/fossil< 1:2.12.1-1+2

▶NVDopensuse/leap15.1, 15.2+1

▶NVDopensuse/backports_sle15.0

Also affects: Fedora 32, 33

🔴Vulnerability Details

GHSA

GHSA-83fw-5hmv-mmqf: Fossil before 2↗2022-05-24

▶

OSV

CVE-2020-24614: Fossil before 2↗2020-08-25

▶

CVEList

CVE-2020-24614: Fossil before 2↗2020-08-25

▶

📋Vendor Advisories

Debian

CVE-2020-24614: fossil - Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 allows remo...↗2020

▶

💬Community

Bugzilla

CVE-2020-24614 fossil: allows remote authenticated users to execute arbitrary code [fedora-all]↗2020-08-20

▶

Bugzilla

CVE-2020-24614 fossil: allows remote authenticated users to execute arbitrary code↗2020-08-20

▶