CVE-2020-12852

The update feature for Pydio Cells 2.0.4 allows an administrator user to set a custom update URL and the public RSA key used to validate the downloaded update package. The update process involves downloading the updated binary file from a URL indicated in the update server response, validating its checksum and signature with the provided public key and finally replacing the current application binary. To complete the update process, the application’s service or appliance needs to be restarted. An attacker with administrator access can leverage the software update feature to force the application to download a custom binary that will replace current Pydio Cells binary. When the server or service is eventually restarted the attacker will be able to execute code under the privileges of the user running the application. In the Pydio Cells enterprise appliance this is with the privileges of the user named “pydio”.

CVSS v3 6.8 MEDIUM
CVSS v2.0 8.5 HIGH

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

8.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:S/C:C/I:C/A:C

Exploitability : 6.8 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://packetstormsecurity.com/files/158002/Pydio-Cells-2.0.4-XSS-File-Write-Code-Execution.html	Third Party Advisory
https://www.coresecurity.com/advisories	Third Party Advisory
https://www.coresecurity.com/core-labs/advisories/pydio-cells-204-multiple-vulnerabilities	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pydio:cells:2.0.4:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-06-04 20:15

Updated : 2024-02-04 21:00

NVD link : CVE-2020-12852

Mitre link : CVE-2020-12852

CVE.ORG link : CVE-2020-12852

JSON object : View

Products Affected

pydio

cells

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2020-12852", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 8.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}]}, "published": "2020-06-04T20:15:11.880", "references": [{"url": "http://packetstormsecurity.com/files/158002/Pydio-Cells-2.0.4-XSS-File-Write-Code-Execution.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.coresecurity.com/advisories", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.coresecurity.com/core-labs/advisories/pydio-cells-204-multiple-vulnerabilities", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "The update feature for Pydio Cells 2.0.4 allows an administrator user to set a custom update URL and the public RSA key used to validate the downloaded update package. The update process involves downloading the updated binary file from a URL indicated in the update server response, validating its checksum and signature with the provided public key and finally replacing the current application binary. To complete the update process, the application\u2019s service or appliance needs to be restarted. An attacker with administrator access can leverage the software update feature to force the application to download a custom binary that will replace current Pydio Cells binary. When the server or service is eventually restarted the attacker will be able to execute code under the privileges of the user running the application. In the Pydio Cells enterprise appliance this is with the privileges of the user named \u201cpydio\u201d."}, {"lang": "es", "value": "La funcionalidad update para Pydio Cells versi\u00f3n 2.0.4, permite a un usuario administrador establecer una URL de actualizaci\u00f3n personalizada y la clave RSA p\u00fablica utilizada para validar el paquete de actualizaci\u00f3n descargado. El proceso de actualizaci\u00f3n involucra descargar el archivo binario actualizado desde una URL indicada en la respuesta del servidor de actualizaci\u00f3n, validar su suma de comprobaciones y firma con la clave p\u00fablica proporcionada y finalmente reemplazar el binario de la aplicaci\u00f3n actual. Para completar el proceso de actualizaci\u00f3n, es necesario reiniciar el servicio o dispositivo de la aplicaci\u00f3n. Un atacante con acceso de administrador puede aprovechar la funcionalidad de actualizaci\u00f3n de software para forzar a la aplicaci\u00f3n a descargar un binario personalizado que reemplazar\u00e1 el binario actual de Pydio Cells. Cuando el servidor o el servicio se reinicie, el atacante podr\u00e1 ejecutar c\u00f3digo bajo los privilegios del usuario que ejecuta la aplicaci\u00f3n. En el dispositivo empresarial Pydio Cells, esto se encuentra con los privilegios del usuario llamado \"pydio\""}], "lastModified": "2020-06-12T13:34:57.167", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pydio:cells:2.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DD71F82-734C-4DDA-B136-C26C71116D01"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}