Lucene search

MitreCVELIST:CVE-2020-26118

HistoryJan 11, 2021 - 2:53 p.m.

CVE-2020-26118

2021-01-1114:53:26

mitre

www.cve.org

smartbear

collaborator server

vulnerability

java deserialization

gwt api

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.002

Percentile

55.3%

JSON

In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability. The application’s UpdateMemento class accepts a serialized Java object directly from the user without properly sanitizing it. A malicious object can be submitted to the server via an authenticated attacker to execute commands on the underlying system.

References

support.smartbear.com/collaborator/docs/general-info/version-history/ver-13/ver-13-0.html

support.smartbear.com/collaborator/docs/general-info/whats-new.html

support.smartbear.com/collaborator/docs/server/index.html

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.002

Percentile

55.3%

JSON

Related for CVELIST:CVE-2020-26118