CVE-2020-11061

Published Jul 10, 2020

Last updated 2 years ago

CVSS high 7.4

Overview

Description: In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10.
Source: security-advisories@github.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.4
Impact score: 3.7
Exploitability score: 3.1
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 6
Impact score: 6.4
Exploitability score: 6.8
Vector string: AV:N/AC:M/Au:S/C:P/I:P/A:P

Weaknesses

security-advisories@github.com: CWE-122
nvd@nist.gov: CWE-787

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:bareos:bareos:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "72B0B3A9-13BA-4BD3-A83B-57FAC6142D58",
            "versionEndIncluding": "16.2.10"
          },
          {
            "criteria": "cpe:2.3:a:bareos:bareos:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A2202616-3D50-475B-B7E9-8462D86415CD",
            "versionEndIncluding": "17.2.9",
            "versionStartIncluding": "17.2.4"
          },
          {
            "criteria": "cpe:2.3:a:bareos:bareos:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A8DFB7AE-7974-4DBD-BABE-377482CF843F",
            "versionEndIncluding": "18.2.8",
            "versionStartIncluding": "18.2.5"
          },
          {
            "criteria": "cpe:2.3:a:bareos:bareos:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "67497866-DA6E-4077-8C53-EF6D7B442B6A",
            "versionEndIncluding": "19.2.7",
            "versionStartIncluding": "18.4.1"
          },
          {
            "criteria": "cpe:2.3:a:bareos:bareos:18.2.4:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "158CA481-DC00-4AC1-8A4E-6E256D6065A9"
          },
          {
            "criteria": "cpe:2.3:a:bareos:bareos:18.2.4:rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "84D7C5FC-7EB3-406E-941C-A7F4C5569117"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References