CVE-2020-4222
published 2020-02-24CVE-2020-4222: IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
15.49%
96.4th percentile
IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175091.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | nifi | — | — |
| ibm | spectrum_protect | — | — |
| ibm | spectrum_protect | >= 10.1.0 < 10.1.5 | 10.1.5 |
| ibm | spectrum_protect_plus | — | — |
| ibm | spectrum_protect_plus | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_apache7.5
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jhrr-f782-m5jp: IBM Spectrum Protect Plus 10
ghsa_unreviewed·2022-05-24
CVE-2020-4222 [HIGH] CWE-74 GHSA-jhrr-f782-m5jp: IBM Spectrum Protect Plus 10
IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175091.
Apache
Apache nifi: CVE-2020-9486
vendor_apache·CVSS 7.5
CVE-2020-9486 Apache nifi: CVE-2020-9486
Apache nifi: CVE-2020-9486
Title: Potential Information Disclosure in Application Logs Published: 2020-08-18 Severity: Medium Products: Apache NiFi Affected Versions: 1.10.0 to 1.11.4 Fixed Versions: 1.12.0 Reporter: Andy LoPresto and Pierre Villard References CVE Record: CVE-2020-9486 NVD Record: CVE-2020-9486 Apache Jira Issue: NIFI-7377 GitHub Pull Request: 4222 The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext. NiFi 1.12.0 implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running any previous NiFi release should upgrade to 1.12.0.
Seve
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://exchange.xforce.ibmcloud.com/vulnerabilities/175091https://www.ibm.com/support/pages/node/3178863https://www.zerodayinitiative.com/advisories/ZDI-20-271/https://exchange.xforce.ibmcloud.com/vulnerabilities/175091https://www.ibm.com/support/pages/node/3178863https://www.zerodayinitiative.com/advisories/ZDI-20-271/
2020-02-24
Published