Lucene search

MitreCVE-2018-20745

HistoryJan 28, 2019 - 8:29 a.m.

CVE-2018-20745

2019-01-2808:29:00

CWE-346

mitre

web.nvd.nist.gov

cve-2018-20745

yii 2.x

cors

security vulnerability

nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

35.4%

JSON

Yii 2.x through 2.0.15.1 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.

Affected configurations

Nvd

Node

yiiframeworkyiiRange2.0–2.0.15.1

VendorProductVersionCPE
yiiframeworkyii*cpe:2.3:a:yiiframework:yii:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
yiiframework	yii	*	cpe:2.3:a:yiiframework:yii::::::::

References

github.com/yiisoft/yii2/issues/16193

www.usenix.org/system/files/conference/usenixsecurity18/sec18-chen.pdf

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

35.4%

JSON

Related for CVE-2018-20745