CVE-2020-3996

Velero (prior to 1.4.3 and 1.5.2) in some instances doesn’t properly manage volume identifiers which may result in information leakage to unauthorized users.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/vmware-tanzu/velero/security/advisories/GHSA-72xg-3mcq-52v4	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vmware:velero::::::::
	cpe:2.3:a:vmware:velero::::::::

History

No history.

Information

Published : 2020-10-22 21:15

Updated : 2020-10-30 15:20

NVD link : CVE-2020-3996

Mitre link : CVE-2020-3996

CVE.ORG link : CVE-2020-3996

JSON object : View

Products Affected

vmware

velero

CWE

NVD-CWE-noinfo

{"id": "CVE-2020-3996", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2020-10-22T21:15:14.247", "references": [{"url": "https://github.com/vmware-tanzu/velero/security/advisories/GHSA-72xg-3mcq-52v4", "tags": ["Third Party Advisory"], "source": "security@vmware.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Velero (prior to 1.4.3 and 1.5.2) in some instances doesn\u2019t properly manage volume identifiers which may result in information leakage to unauthorized users."}, {"lang": "es", "value": "Velero (versiones anteriores a 1.4.3 y 1.5.2) en algunos casos no administra apropiadamente los identificadores de volumen, lo que puede resultar en una filtraci\u00f3n de informaci\u00f3n para usuarios no autorizados"}], "lastModified": "2020-10-30T15:20:57.730", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vmware:velero:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB2A02AD-36BD-4664-8856-689F408DBB64", "versionEndExcluding": "1.4.3"}, {"criteria": "cpe:2.3:a:vmware:velero:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F8684CB-4FCA-4DC3-95AE-37D7C93499D1", "versionEndExcluding": "1.5.2", "versionStartIncluding": "1.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@vmware.com"}