CVE-2020-7377
published 2020-08-24CVE-2020-7377: The Metasploit Framework module "auxiliary/admin/http/telpho10_credential_dump" module is affected by a relative path traversal vulnerability in the untar…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
1.07%
60.7th percentile
The Metasploit Framework module "auxiliary/admin/http/telpho10_credential_dump" module is affected by a relative path traversal vulnerability in the untar method which can be exploited to write arbitrary files to arbitrary locations on the host file system when the module is run on a malicious HTTP server.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | nifi | — | — |
| rapid7 | metasploit | >= 4.12.40 < 6.0.3 | 6.0.3 |
| rapid7 | metasploit_framework | >= 4.12.40 < 4.12.40* | 4.12.40* |
| rapid7 | metasploit_framework | >= 6.0.3 < 6.0.3 | 6.0.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_apache7.5
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gxg9-f69x-c3pw: The Metasploit Framework module "auxiliary/admin/http/telpho10_credential_dump" module is affected by a relative path traversal vulnerability in the u
ghsa_unreviewed·2022-05-24
CVE-2020-7377 [HIGH] CWE-22 GHSA-gxg9-f69x-c3pw: The Metasploit Framework module "auxiliary/admin/http/telpho10_credential_dump" module is affected by a relative path traversal vulnerability in the u
The Metasploit Framework module "auxiliary/admin/http/telpho10_credential_dump" module is affected by a relative path traversal vulnerability in the untar method which can be exploited to write arbitrary files to arbitrary locations on the host file system when the module is run on a malicious HTTP server.
Apache
Apache nifi: CVE-2020-9486
vendor_apache·CVSS 7.5
CVE-2020-9486 Apache nifi: CVE-2020-9486
Apache nifi: CVE-2020-9486
Title: Potential Information Disclosure in Application Logs Published: 2020-08-18 Severity: Medium Products: Apache NiFi Affected Versions: 1.10.0 to 1.11.4 Fixed Versions: 1.12.0 Reporter: Andy LoPresto and Pierre Villard References CVE Record: CVE-2020-9486 NVD Record: CVE-2020-9486 Apache Jira Issue: NIFI-7377 GitHub Pull Request: 4222 The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext. NiFi 1.12.0 implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running any previous NiFi release should upgrade to 1.12.0.
Seve
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-08-24
Published