CVE-2020-29022 - Vulnerability Details - OpenCVE

Failure to Sanitize host header value on output in the GateManager Web server could allow an attacker to conduct web cache poisoning attacks. This issue affects Secomea GateManager all versions prior to 9.3

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Secomea	Gatemanager 4250 Gatemanager 4250 Firmware Gatemanager 4260 Gatemanager 4260 Firmware Gatemanager 8250 Gatemanager 8250 Firmware Gatemanager 9250 Gatemanager 9250 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:secomea:gatemanager_4250_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:secomea:gatemanager_4250:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:secomea:gatemanager_4260_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:secomea:gatemanager_4260:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:secomea:gatemanager_9250_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:secomea:gatemanager_9250:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:secomea:gatemanager_8250_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:secomea:gatemanager_8250:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.secomea.com/support/cybersecurity-advisory/#2923

History

No history.

MITRE

Status: PUBLISHED

Assigner: Secomea

Published: 2021-02-16T15:08:36.021278Z

Updated: 2024-09-16T16:18:06.251Z

Reserved: 2020-11-24T00:00:00

Link: CVE-2020-29022

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-02-16T16:15:12.533

Modified: 2024-11-21T05:23:31.880

Link: CVE-2020-29022

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "GateManager", "vendor": "Secomea", "versions": [{"lessThan": "9.3", "status": "affected", "version": "all", "versionType": "custom"}]}], "datePublic": "2021-02-16T00:00:00", "descriptions": [{"lang": "en", "value": "Failure to Sanitize host header value on output in the GateManager Web server could allow an attacker to conduct web cache poisoning attacks. This issue affects Secomea GateManager all versions prior to 9.3"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-159", "description": "CWE-159 Failure to Sanitize Special Element", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-16T15:08:36", "orgId": "f2815942-3388-4c08-ba09-6c15850fda90", "shortName": "Secomea"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.secomea.com/support/cybersecurity-advisory/#2923"}], "source": {"defect": ["RD-2923"], "discovery": "EXTERNAL"}, "title": "Host Header Injection allowing web cache poisoning attacks", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "VulnerabilityReporting@secomea.com", "DATE_PUBLIC": "2021-02-16T22:00:00.000Z", "ID": "CVE-2020-29022", "STATE": "PUBLIC", "TITLE": "Host Header Injection allowing web cache poisoning attacks"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GateManager", "version": {"version_data": [{"version_affected": "<", "version_name": "all", "version_value": "9.3"}]}}]}, "vendor_name": "Secomea"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Failure to Sanitize host header value on output in the GateManager Web server could allow an attacker to conduct web cache poisoning attacks. This issue affects Secomea GateManager all versions prior to 9.3"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-159 Failure to Sanitize Special Element"}]}]}, "references": {"reference_data": [{"name": "https://www.secomea.com/support/cybersecurity-advisory/#2923", "refsource": "MISC", "url": "https://www.secomea.com/support/cybersecurity-advisory/#2923"}]}, "source": {"defect": ["RD-2923"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:48:01.436Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.secomea.com/support/cybersecurity-advisory/#2923"}]}]}, "cveMetadata": {"assignerOrgId": "f2815942-3388-4c08-ba09-6c15850fda90", "assignerShortName": "Secomea", "cveId": "CVE-2020-29022", "datePublished": "2021-02-16T15:08:36.021278Z", "dateReserved": "2020-11-24T00:00:00", "dateUpdated": "2024-09-16T16:18:06.251Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:secomea:gatemanager_4250_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFA20EA3-F08F-4EEC-993D-CFF3B64FEF8D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:secomea:gatemanager_4250:-:*:*:*:*:*:*:*", "matchCriteriaId": "0DB6136A-5440-4980-940D-CD178DC219B8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:secomea:gatemanager_4260_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "048A7B3B-193A-475A-B764-AB6434757028", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:secomea:gatemanager_4260:-:*:*:*:*:*:*:*", "matchCriteriaId": "9B546E62-81BB-4ED8-87C9-41BD79484AD0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:secomea:gatemanager_9250_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1BAF966-A1EE-4B37-BE84-BF137449C6FF", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:secomea:gatemanager_9250:-:*:*:*:*:*:*:*", "matchCriteriaId": "68DE2092-2EA1-4D49-84EB-20BE2CD7B113", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:secomea:gatemanager_8250_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E0BA172-4047-4D60-9F37-A81EC4622376", "versionEndExcluding": "9.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:secomea:gatemanager_8250:-:*:*:*:*:*:*:*", "matchCriteriaId": "5089C475-2013-4DF6-AD1E-12F576ACAE8E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Failure to Sanitize host header value on output in the GateManager Web server could allow an attacker to conduct web cache poisoning attacks. This issue affects Secomea GateManager all versions prior to 9.3"}, {"lang": "es", "value": "Un fallo en la saneamiento del valor del encabezado del host en la salida del servidor web GateManager, podr\u00eda permitir a un atacante conducir ataques de envenenamiento de la cach\u00e9 web. Este problema afecta a Secomea GateManager todas las versiones anteriores a 9.3"}], "id": "CVE-2020-29022", "lastModified": "2024-11-21T05:23:31.880", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "VulnerabilityReporting@secomea.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-16T16:15:12.533", "references": [{"source": "VulnerabilityReporting@secomea.com", "tags": ["Vendor Advisory"], "url": "https://www.secomea.com/support/cybersecurity-advisory/#2923"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.secomea.com/support/cybersecurity-advisory/#2923"}], "sourceIdentifier": "VulnerabilityReporting@secomea.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-159"}], "source": "VulnerabilityReporting@secomea.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}