CVE-2020-4002

CWE-732 — Incorrect Permission Assignment5 documents5 sources

Severity

7.2HIGH

EPSS

0.6%

top 31.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Sd-wan Orchestrator

Timeline

PublishedNov 24

Latest updateMay 24

Description

The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 handles system parameters in an insecure way. An authenticated SD-WAN Orchestrator user with high privileges may be able to execute arbitrary code on the underlying operating system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDvmware/sd-wan_orchestrator3.4.0 — 3.4.4+2

▶CVEListV5vmware_sd-wan_orchestratorVMware SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4..0.1.

🔴Vulnerability Details

GHSA

GHSA-h9xp-3922-7v5q: The SD-WAN Orchestrator 3↗2022-05-24

▶

OSV

linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, l↗2022-01-06

▶

CVEList

CVE-2020-4002: The SD-WAN Orchestrator 3↗2020-11-24

▶

📋Vendor Advisories

VMware

VMware SD-WAN Orchestrator updates address multiple security vulnerabilities (CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002 ,CVE-2020-4003)↗2020-11-18

▶