CVE-2020-4469
published 2020-06-15CVE-2020-4469: IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
13.39%
95.9th percentile
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. This vulnerability is due to an incomplete fix for CVE-2020-4211. IBM X-Force ID: 181724.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | spectrum_protect_plus | 10.1.0 – 10.1.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl -ki --tlsv1.2 -H 'x-ac-sessionid: abcd' -d "hostname=';id >/tmp/cmd_injection;echo '" 'https://<target>:8090/emi/api/hostname'↗
- →Alert on any HTTP request to /emi/api/hostname or /emi/api/netconfig on port 8090 that does not carry a valid authenticated session — the endpoints lack authentication and accept arbitrary input. ↗
- →Monitor for the static fake session header 'x-ac-sessionid: abcd' in HTTP requests to the SPP appliance, used in PoC exploitation to bypass session checks. ↗
- →Detect creation of files /tmp/cmd_injection or /tmp/hacked on the SPP appliance filesystem, which are written by the published PoC exploits. ↗
- →Watch for inbound HTTP GET requests from the SPP appliance to external hosts on port 8080 fetching .rpm files, indicating the CVE-2020-4470 RPM-download attack chain is in progress. ↗
- →Flag installation of RPM packages named attacker-rpm-1.0-0.noarch.rpm or sourced from /tmp on the SPP appliance, as this is the PoC malicious package used for RCE via scriptlets. ↗
- ·CVE-2020-4469 is an incomplete fix for CVE-2020-4211. IBM SPP 10.1.5-2181 and later attempted to mitigate the original injection by single-quoting the hostname parameter, but this is insufficient — the injection payload wraps around the single-quote sanitization. ↗
- ·The exploit requires no authentication; any arbitrary value for the x-ac-sessionid header (e.g., 'abcd') is accepted by the vulnerable endpoints, so session-based controls are not an effective mitigation. ↗
- ·Successful exploitation results in command execution with root privileges, meaning any detection or response must assume full system compromise. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Tenable
IBM Spectrum Protect Plus Multiple Vulnerabilities
blogs_tenable·2020-06-15
IBM Spectrum Protect Plus Multiple Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
bugzilla·2020-04-14·CVSS 7.8
CVE-2020-3898 [HIGH] CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
A heap-based buffer overflow was discovered in in libcups's ppdFindOption() function in ppd-mark.c:430. The issue can be reproduced by loading a crafted ppd file and calling the ppdMarkDefaults() libcups API function.
Discussion:
Acknowledgments:
Name: Apple Product Security
Upstream: Stephan Zeisberg (Security Research Labs)
---
Public:
https://support.apple.com/en-us/HT211100
---
Created cups tracking bugs for this issue:
Affects: fedora-all [bug 1826330]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:4469 https://access.redhat.com/errata/RHSA-2020:4469
---
This bug is now closed. Further updates for individual products will be re
https://exchange.xforce.ibmcloud.com/vulnerabilities/181724https://www.ibm.com/support/pages/node/6221358https://www.tenable.com/security/research/tra-2020-37https://exchange.xforce.ibmcloud.com/vulnerabilities/181724https://www.ibm.com/support/pages/node/6221358https://www.tenable.com/security/research/tra-2020-37
2020-06-15
Published