CVE-2020-13656

{"id": "CVE-2020-13656", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-06-12T23:15:10.697", "references": [{"url": "https://know.bishopfox.com/advisories/oob-to-rce-exploitation-of-the-hobbes-functional-interpreter", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://know.bishopfox.com/advisories/oob-to-rce-exploitation-of-the-hobbes-functional-interpreter", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In Morgan Stanley Hobbes through 2020-05-21, the array implementation lacks bounds checking, allowing exploitation of an out-of-bounds (OOB) read/write vulnerability that leads to both local and remote code (via RPC) execution."}, {"lang": "es", "value": "En Morgan Stanley Hobbes hasta el 21-05-2020, la implementaci\u00f3n de la matriz carece de una comprobaci\u00f3n de l\u00edmites, permitiendo la explotaci\u00f3n de una vulnerabilidad de lectura/escritura fuera de l\u00edmites (OOB) que conlleva a una ejecuci\u00f3n de c\u00f3digo tanto local como remota (por medio de RPC)"}], "lastModified": "2024-11-21T05:01:41.693", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:morganstanley:hobbes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C52C517-2A72-4B64-8F9F-6BE2A911B37B", "versionEndIncluding": "2020-05-21"}], "operator": "OR"}]}], "vendorComments": [{"comment": "The issue outlined in the CVE has been addressed in the latest release of Hobbes as of September 29, 2020. More information on the usage of Hobbes is detailed in the README.md of the project at https://github.com/Morgan-Stanley/hobbes", "lastModified": "2020-11-09T15:38:04.330", "organization": "Morgan Stanley"}], "sourceIdentifier": "cve@mitre.org"}