Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-10871

In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information further

Published

2020-03-23T20:15:11.917

Last Modified

2024-11-21T04:56:15.770

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	openwrt	luci	git-20.049.11521-bebfe20	Yes
Application	openwrt	luci	git-20.078.22902-0ed0d42	Yes

References

https://github.com/openwrt/luci/issues/3563#issuecomment-578522860 Patch, Third Party Advisory ([email protected])
https://github.com/openwrt/luci/issues/3653#issue-567892007 Exploit, Third Party Advisory ([email protected])
https://github.com/openwrt/luci/issues/3766 Exploit, Third Party Advisory ([email protected])
https://github.com/openwrt/luci/issues/3563#issuecomment-578522860 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/openwrt/luci/issues/3653#issue-567892007 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/openwrt/luci/issues/3766 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)