CVE-2020-15087

{"id": "CVE-2020-15087", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.8}]}, "published": "2020-06-30T17:15:10.877", "references": [{"url": "https://github.com/prestosql/presto/security/advisories/GHSA-f6pc-crhh-cp96", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://trino.io/docs/current/release/release-337.html#security-changes", "tags": ["Release Notes", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "In Presto before version 337, authenticated users can bypass authorization checks by directly accessing internal APIs. This impacts Presto server installations with secure internal communication configured. This does not affect installations that have not configured secure internal communication, as these installations are inherently insecure. This only affects Presto server installations. This does NOT affect clients such as the CLI or JDBC driver. This vulnerability has been fixed in version 337. Additionally, this issue can be mitigated by blocking network access to internal APIs on the coordinator and workers."}, {"lang": "es", "value": "En Presto versiones anteriores a 337, los usuarios autenticados pueden omitir las comprobaciones de autorizaci\u00f3n al acceder directamente a las API internas. Esto afecta las instalaciones del servidor Presto con una comunicaci\u00f3n interna segura configurada. Esto no afecta a las instalaciones que no han configurado una comunicaci\u00f3n interna segura, ya que estas instalaciones son no seguras inherentemente. Esto solo afecta a las instalaciones del servidor Presto. Esto NO afecta a clientes como la CLI o el controlador JDBC. Esta vulnerabilidad se ha corregido en la versi\u00f3n 337. Adem\u00e1s, este problema puede ser mitigado bloqueando el acceso de red a las API internas en el coordinador y trabajadores"}], "lastModified": "2022-10-21T18:01:15.083", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:prestosql:presto:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E70E23C-0925-427B-98AF-F86E379B63C9", "versionEndExcluding": "337"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}