Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-9386

In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, file metadata information is disclosed to group members in the Elasticsearch result list despite them not having access to that artefact anymore.

Published

2020-03-09T16:15:16.017

Last Modified

2024-11-21T05:40:32.173

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	mahara	mahara	< 18.10.5	Yes
Application	mahara	mahara	< 19.04.4	Yes
Application	mahara	mahara	< 19.10.2	Yes

References

https://bugs.launchpad.net/mahara/+bug/1840201 Issue Tracking, Patch, Third Party Advisory ([email protected])
https://mahara.org/interaction/forum/topic.php?id=8589 Vendor Advisory ([email protected])
https://bugs.launchpad.net/mahara/+bug/1840201 Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://mahara.org/interaction/forum/topic.php?id=8589 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)