CVE-2020-4042
Last modified
CVE-2020-4042 is a medium-severity vulnerability rated 6.8/10 on the CVSS scale. Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. EPSS estimates a 0.97% chance of exploitation in the next 30 days.
Description
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the directors original challenge. This is fixed in version 19.2.8.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Bareos | Bareos | <= 19.2.7 | — |
| Bareos | Bareos | 19.2.8 | Pre |
References
- https://bugs.bareos.org/view.php?id=1250Vendor Advisory
- https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752Mitigation, Third Party Advisory
- https://bugs.bareos.org/view.php?id=1250Vendor Advisory
- https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752Mitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-4042?
How severe is CVE-2020-4042?
How do I fix CVE-2020-4042?
Are you affected by CVE-2020-4042?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST