CVE-2020-29668Improper Authentication in Sympa

CWE-287Improper AuthenticationCWE-565Reliance on Cookies without Validation and Integrity Checking4 documents4 sources
Severity
3.7LOWNVD
EPSS
1.0%
top 22.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
SympaDebian SympaDebian Linux+1 more
Timeline
PublishedDec 10
Latest updateMay 24

Description

Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages3 packages

debiandebian/sympa< sympa 6.2.58~dfsg-2 (bookworm)
Debiansympa/sympa< 6.2.58~dfsg-2+3
NVDsympa/sympa6.2.58+1

Also affects: Debian Linux 10.0, 9.0, Fedora 32, 33

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-wrwc-95g6-4fm3: Sympa before 62022-05-24
OSV
CVE-2020-29668: Sympa before 62020-12-10

📋Vendor Advisories

1
Debian
CVE-2020-29668: sympa - Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by...2020
CVE-2020-29668 — Improper Authentication in Sympa | cvebase