CVE-2020-28337

Beschreibung:
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.

CWE: CWE-22

CVSS-Bewertung
CVSS 2: MEDIUM – 6.5 (Version: 2.0)
CVSS 3: HIGH – 7.2 (Version: 3.1)

Links:

NVD – CVE-2020-28337
CVE – CVE-2020-28337

Link (max. 20) Quelle Tags
https://sl1nki.page/advisories/CVE-2020-28337 MISC Third Party Advisory Third Party Advisory
https://sl1nki.page/blog/2021/02/01/microweber-zip-slip MISC Exploit Patch Third Party Advisory
https://github.com/microweber/microweber/commit/777ee9c3e7519eb3672c79ac41066175b2001b50 MISC Patch Third Party Advisory
http://packetstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.html MISC Third Party Advisory Third Party Advisory
https://security.netapp.com/advisory/ntap-20210219-0009/ CONFIRM Third Party Advisory Third Party Advisory
https://www.tenable.com/security/tns-2021-03 CONFIRM Third Party Advisory Third Party Advisory
GLSA-202103-03 GENTOO Mailing List Third Party Advisory
https://www.tenable.com/security/tns-2021-09 CONFIRM Mailing List Third Party Advisory
[kafka-jira] 20210302 [GitHub] [kafka] ableegoldman commented on pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10245: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-commits] 20210302 [kafka] branch 2.8 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12400) Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12400: Upgrade jetty to fix CVE-2020-27223 MLIST Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1@%3Cdev.kafka.apache.org%3E MISC Mailing List Third Party Advisory
https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614@%3Cdev.kafka.apache.org%3E MISC Mailing List Third Party Advisory
[activemq-gitbox] 20210303 [GitHub] [activemq] ehossack-aws opened a new pull request #616: Upgrade to Jetty 9.4.38.v20210224 MLIST Mailing List Third Party Advisory
[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg commented on pull request #1623: ZOOKEEPER-4233: dependency-check:check failing – Jetty 9.4.35.v20201120 – CVE-2020-27223 MLIST Mailing List Third Party Advisory
[zookeeper-notifications] 20210307 [GitHub] [zookeeper] ztzg opened a new pull request #1624: ZOOKEEPER-4233: dependency-check:check failing – Jetty 9.4.35.v20201120 – CVE-2020-27223 MLIST Mailing List Third Party Advisory

Quelle: NVD – CVE-2020-28337
Datum Veröffentlichung: 2021-02-15T20:15Z, Datum letzte Änderung: 2021-05-10T17:15Z