CVE-2020-11847

SSH authenticated user when access the PAM server can execute an OS command to gain the full system access using bash. This issue affects Privileged Access Manager before 3.7.0.1.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.netiq.com/documentation/privileged-account-manager-37/npam_3701_releasenotes/data/npam_3701_releasenotes.html	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:microfocus:netiq_privileged_access_manager::::::::
	cpe:2.3:a:microfocus:netiq_privileged_access_manager:3.7:-::::::

History

No history.

Information

Published : 2024-08-21 14:15

Updated : 2024-08-23 17:04

NVD link : CVE-2020-11847

Mitre link : CVE-2020-11847

CVE.ORG link : CVE-2020-11847

JSON object : View

Products Affected

microfocus

netiq_privileged_access_manager

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2020-11847", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@opentext.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-08-21T14:15:07.957", "references": [{"url": "https://www.netiq.com/documentation/privileged-account-manager-37/npam_3701_releasenotes/data/npam_3701_releasenotes.html", "tags": ["Release Notes"], "source": "security@opentext.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@opentext.com", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "SSH authenticated user when access the PAM server can execute an OS command to gain the full system access using bash. This issue affects Privileged Access Manager before 3.7.0.1."}, {"lang": "es", "value": "El usuario autenticado por SSH cuando accede al servidor PAM puede ejecutar un comando del sistema operativo para obtener acceso completo al sistema mediante bash. Este problema afecta a Privileged Access Manager anterior a 3.7.0.1."}], "lastModified": "2024-08-23T17:04:30.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microfocus:netiq_privileged_access_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA2CD967-B489-4A21-8B40-77723EA447CE", "versionEndExcluding": "3.7"}, {"criteria": "cpe:2.3:a:microfocus:netiq_privileged_access_manager:3.7:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B555DD5F-DF6C-4A46-9F75-C668D9E48D4E"}], "operator": "OR"}]}], "sourceIdentifier": "security@opentext.com"}