Remote Code Execution Vulnerability in Pydio Cells by Pydio
CVE-2020-12852

6.8MEDIUM

Key Information:

Vendor

Pydio

Status
Cells
Vendor
CVE Published:
4 June 2020

What is CVE-2020-12852?

The Pydio Cells 2.0.4 update feature allows administrators to define a custom update URL and specify a public RSA key for validating updates. An attacker with administrative access can exploit this by directing the software to download a malicious binary instead of the legitimate update. Upon application restart, this unauthorized code executes with the privileges of the application user, allowing attackers to gain control over the system.

References

https://www.coresecurity.com/advisories
x_refsource_MISC
https://www.coresecurity.com/core-labs/advisories/pydio-c...
x_refsource_MISC
http://packetstormsecurity.com/files/158002/Pydio-Cells-2...
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.