CVE-2020-2534
published 2020-01-15CVE-2020-2534: Vulnerability in the Oracle Reports Developer product of Oracle Fusion Middleware (component: Security and Authentication). Supported versions that are…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.00%
58.3th percentile
Vulnerability in the Oracle Reports Developer product of Oracle Fusion Middleware (component: Security and Authentication). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Reports Developer. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Reports Developer, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Reports Developer accessible data as well as unauthorized read access to a subset of Oracle Reports Developer accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | reports_developer | — | — |
| oracle | reports_developer | — | — |
| oracle_corporation | reports_developer | — | — |
| oracle_corporation | reports_developer | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vendor_oracle6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cfmx-pvrj-ggpg: Vulnerability in the Oracle Reports Developer product of Oracle Fusion Middleware (component: Security and Authentication)
ghsa_unreviewed·2022-05-24
CVE-2020-2534 [MEDIUM] GHSA-cfmx-pvrj-ggpg: Vulnerability in the Oracle Reports Developer product of Oracle Fusion Middleware (component: Security and Authentication)
Vulnerability in the Oracle Reports Developer product of Oracle Fusion Middleware (component: Security and Authentication). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Reports Developer. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Reports Developer, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Reports Developer accessible data as well as unauthorized read access to a subset of Oracle Reports Developer accessible data. CVSS 3.0 Base Score 6.1 (Confide
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Security and Authentication — CVE-2020-2534
vendor_oracle·2020-01-15·CVSS 6.1
CVE-2020-2534 [MEDIUM] Oracle Oracle Fusion Middleware Risk Matrix: Security and Authentication — CVE-2020-2534
Oracle Oracle Fusion Middleware Risk Matrix: Security and Authentication vulnerability
CVE: CVE-2020-2534
CVSS: 6.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2020 (JAN 2020)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-15397 hylafax+: unsafe handling of user-writable directories could lead to privileged code execution
bugzilla·2020-07-01·CVSS 7.8
CVE-2020-15397 [HIGH] CVE-2020-15397 hylafax+: unsafe handling of user-writable directories could lead to privileged code execution
CVE-2020-15397 hylafax+: unsafe handling of user-writable directories could lead to privileged code execution
HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that execute binaries from directories writable by unprivileged users (e.g., locations under /var/spool/hylafax that are writable by the uucp account). This allows these users to execute code in the context of the user calling these binaries (often root).
Upstream Reference:
https://sourceforge.net/p/hylafax/HylaFAX+/2534/
Discussion:
Created hylafax+ tracking bugs for this issue:
Affects: epel-all [bug 1852805]
Affects: fedora-all [bug 1852804]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the de
Bugzilla
CVE-2020-15396 hylafax+: race condition in faxsetup utility could lead to privileges escalation
bugzilla·2020-07-01·CVSS 7.8
CVE-2020-15396 [HIGH] CVE-2020-15396 hylafax+: race condition in faxsetup utility could lead to privileges escalation
CVE-2020-15396 hylafax+: race condition in faxsetup utility could lead to privileges escalation
In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility calls chown on files in user-owned directories. By winning a race, a local attacker could use this to escalate his privileges to root.
Upstream Reference:
https://sourceforge.net/p/hylafax/HylaFAX+/2534/
Discussion:
Created hylafax+ tracking bugs for this issue:
Affects: epel-all [bug 1852811]
Affects: fedora-all [bug 1852810]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
2020-01-15
Published