CVE-2020-11061
Last modified
CVE-2020-11061 is a high-severity vulnerability rated 7.4/10 on the CVSS scale. In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. EPSS estimates a 1.24% chance of exploitation in the next 30 days.
Description
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Bareos | Bareos | <= 16.2.10 | — |
| Bareos | Bareos | >= 17.2.4, <= 17.2.9 | — |
| Bareos | Bareos | >= 18.2.5, <= 18.2.8 | — |
| Bareos | Bareos | >= 18.4.1, <= 19.2.7 | — |
| Bareos | Bareos | 18.2.4 | Rc1 |
| Debian | Debian Linux | 9.0 | — |
References
- https://bugs.bareos.org/view.php?id=1210Vendor Advisory
- https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/08/msg00051.htmlMailing List, Third Party Advisory
- https://bugs.bareos.org/view.php?id=1210Vendor Advisory
- https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/08/msg00051.htmlMailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-11061?
How severe is CVE-2020-11061?
How do I fix CVE-2020-11061?
Are you affected by CVE-2020-11061?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST