CVE-2020-26253

{"id": "CVE-2020-26253", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2020-12-08T02:15:10.507", "references": [{"url": "https://github.com/getkirby-v2/panel/commit/7f9ac1876bacb89fd8f142f5e561a02ebb725baa", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/getkirby/kirby/releases/tag/3.3.6", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-2ccx-2gf3-8xvv", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://packagist.org/packages/getkirby/cms", "tags": ["Product", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://packagist.org/packages/getkirby/panel", "tags": ["Product", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/getkirby-v2/panel/commit/7f9ac1876bacb89fd8f142f5e561a02ebb725baa", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/getkirby/kirby/releases/tag/3.3.6", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-2ccx-2gf3-8xvv", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://packagist.org/packages/getkirby/cms", "tags": ["Product", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://packagist.org/packages/getkirby/panel", "tags": ["Product", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-346"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years ago in Kirby 2. It helps to avoid that you forget registering your first admin account on a public server. In this case \u2013 without our security block \u2013 someone else might theoretically be able to find your site, find out it's running on Kirby, find the Panel and then register the account first. It's an unlikely situation, but it's still a certain risk. To be able to register the first Panel account on a public server, you have to enforce the installer via a config setting. This helps to push all users to the best practice of registering your first Panel account on your local machine and upload it together with the rest of the site. This installation block implementation in Kirby versions before 3.3.6 still assumed that .dev domains are local domains, which is no longer true. In the meantime, those domains became publicly available. This means that our installation block is no longer working as expected if you use a .dev domain for your Kirby site. Additionally the local installation check may also fail if your site is behind a reverse proxy. You are only affected if you use a .dev domain or your site is behind a reverse proxy and you have not yet registered your first Panel account on the public server and someone finds your site and tries to login at `yourdomain.dev/panel` before you register your first account. You are not affected if you have already created one or multiple Panel accounts (no matter if on a .dev domain or behind a reverse proxy). The problem has been patched in Kirby 3.3.6. Please upgrade to this or a later version to fix the vulnerability."}, {"lang": "es", "value": "Kirby es un CMS. En Kirby CMS (getkirby/cms) anterior a versi\u00f3n 3.3.6, y Kirby Panel anterior a versi\u00f3n 2.5.14, se presenta una vulnerabilidad en la que se puede acceder al panel de administraci\u00f3n si est\u00e1 alojado en un dominio .dev. A fin de proteger nuevas instalaciones en servidores p\u00fablicos que no tienen una cuenta de administrador para el Panel a\u00fan, bloqueamos el registro de cuenta all\u00ed por defecto. Esta es una caracter\u00edstica de seguridad que implementamos hace a\u00f1os en Kirby versi\u00f3n 2. Ayuda a evitar que olvide registrar su primera cuenta de administrador en un servidor p\u00fablico. En este caso, sin nuestro bloqueo de seguridad, te\u00f3ricamente alguien m\u00e1s podr\u00eda encontrar su sitio, detectar que se est\u00e1 ejecutando en Kirby, buscar el Panel y luego registrar la cuenta primero. Es una situaci\u00f3n poco probable, pero sigue siendo un cierto riesgo. Para poder registrar la primera cuenta del Panel en un servidor p\u00fablico, tienes que aplicar el instalador por medio de un ajuste de configuraci\u00f3n. Esto ayuda a impulsar a todos los usuarios a la mejor pr\u00e1ctica de registrar su primera cuenta del Panel en su m\u00e1quina local y cargarla junto con el resto del sitio. Esta implementaci\u00f3n del bloque de instalaci\u00f3n en las versiones de Kirby anteriores a 3.3.6 a\u00fan asum\u00eda que los dominios .dev son dominios locales, lo cual ya no es cierto. Mientras tanto, esos dominios se hicieron disponibles p\u00fablicamente. Esto significa que nuestro bloque de instalaci\u00f3n ya no funciona como se esperaba si usa un dominio .dev para su sitio de Kirby. Adem\u00e1s, la comprobaci\u00f3n de la instalaci\u00f3n local tambi\u00e9n puede presentar un fallo si su sitio est\u00e1 detr\u00e1s de un proxy inverso. Solo estar\u00e1 afectado si usa un dominio .dev o su sitio est\u00e1 detr\u00e1s de un proxy inverso y a\u00fan no ha registrado su primera cuenta del Panel en el servidor p\u00fablico y alguien encuentra su sitio e intenta iniciar sesi\u00f3n en \"yourdomain.dev/panel\" antes de que registre su primera cuenta. No estar\u00e1 afectado si ya ha creado una o varias cuentas del Panel (sin importar si est\u00e1 en un dominio .dev o detr\u00e1s de un proxy inverso). El problema ha sido parcheado en Kirby versi\u00f3n 3.3.6. Actualice a esta o una versi\u00f3n posterior para corregir la vulnerabilidad"}], "lastModified": "2024-11-21T05:19:40.113", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:getkirby:kirby:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5537B2C0-FA74-44FE-973D-F5FB820B0C81", "versionEndExcluding": "3.3.6"}, {"criteria": "cpe:2.3:a:getkirby:panel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33033A60-7661-4FFE-969A-3ECA22773648", "versionEndExcluding": "2.5.14"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}