cnvd - cnvd-2021-02376

cnvd-2021-02376

Vulnerability from cnvd

Title: Adobe Experience Manager盲服务器端请求伪造漏洞

Description:

Adobe Experience Manager（AEM）是美国奥多比（Adobe）公司的一套可用于构建网站、移动应用程序和表单的内容管理解决方案。该方案支持移动内容管理、营销销售活动管理和多站点管理等。

Adobe Experience Manager存在安全漏洞，该漏洞源于未能充分验证用户提供的输入。攻击者可以利用该漏洞访问位于本地网络中的敏感数据。

Severity: 中

Patch Name: Adobe Experience Manager盲服务器端请求伪造漏洞的补丁

Patch Description:

Adobe Experience Manager存在安全漏洞，该漏洞源于未能充分验证用户提供的输入。攻击者可以利用该漏洞访问位于本地网络中的敏感数据。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html

Reference: https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html

Impacted products

Name
['Adobe Experience Manager（AEM） 6.0', 'Adobe Experience Manager（AEM） 6.0 HOTFIX 25133', 'Adobe Experience Manager（AEM） 6.1', 'Adobe Experience Manager（AEM） 6.1-SP2-CFP17', 'Adobe Experience Manager（AEM） 6.2', 'Adobe Experience Manager（AEM） 6.2-SP1-CFP15', 'Adobe Experience Manager（AEM） 6.3', 'Adobe Experience Manager（AEM） 6.3.1.0', 'Adobe Experience Manager（AEM） 6.3.2.0', 'Adobe Experience Manager（AEM） 6.3.2.2', 'Adobe Experience Manager（AEM） 6.3.3.0', 'Adobe Experience Manager（AEM） 6.3.3.2', 'Adobe Experience Manager（AEM） 6.3.3.7', 'Adobe Experience Manager（AEM） 6.3.3.8', 'Adobe Experience Manager（AEM） 6.4', 'Adobe Experience Manager（AEM） 6.4.0', 'Adobe Experience Manager（AEM） 6.4.0 HOTFIX 30379', 'Adobe Experience Manager（AEM） 6.4.0 HOTFIX 31868', 'Adobe Experience Manager（AEM） 1.0', 'Adobe Experience Manager（AEM） 6.4.2.0', 'Adobe Experience Manager（AEM） 6.4.3.0', 'Adobe Experience Manager（AEM） 6.4.7.0', 'Adobe Experience Manager（AEM） 6.4.8.0', 'Adobe Experience Manager（AEM） 6.4.8.1', 'Adobe Experience Manager（AEM） 6.4.8.2', 'Adobe Experience Manager（AEM） 6.5', 'Adobe Experience Manager（AEM） 6.5.0 HOTFIX 30379', 'Adobe Experience Manager（AEM） 6.5.0 HOTFIX 31870', 'Adobe Experience Manager（AEM） 6.5.3.0', 'Adobe Experience Manager（AEM） 6.5.4.0', 'Adobe Experience Manager（AEM） 5.0', 'Adobe Experience Manager（AEM） 6.5.6.0']

Name

['Adobe Experience Manager（AEM） 6.0', 'Adobe Experience Manager（AEM） 6.0 HOTFIX 25133', 'Adobe Experience Manager（AEM） 6.1', 'Adobe Experience Manager（AEM） 6.1-SP2-CFP17', 'Adobe Experience Manager（AEM） 6.2', 'Adobe Experience Manager（AEM） 6.2-SP1-CFP15', 'Adobe Experience Manager（AEM） 6.3', 'Adobe Experience Manager（AEM） 6.3.1.0', 'Adobe Experience Manager（AEM） 6.3.2.0', 'Adobe Experience Manager（AEM） 6.3.2.2', 'Adobe Experience Manager（AEM） 6.3.3.0', 'Adobe Experience Manager（AEM） 6.3.3.2', 'Adobe Experience Manager（AEM） 6.3.3.7', 'Adobe Experience Manager（AEM） 6.3.3.8', 'Adobe Experience Manager（AEM） 6.4', 'Adobe Experience Manager（AEM） 6.4.0', 'Adobe Experience Manager（AEM） 6.4.0 HOTFIX 30379', 'Adobe Experience Manager（AEM） 6.4.0 HOTFIX 31868', 'Adobe Experience Manager（AEM） 1.0', 'Adobe Experience Manager（AEM） 6.4.2.0', 'Adobe Experience Manager（AEM） 6.4.3.0', 'Adobe Experience Manager（AEM） 6.4.7.0', 'Adobe Experience Manager（AEM） 6.4.8.0', 'Adobe Experience Manager（AEM） 6.4.8.1', 'Adobe Experience Manager（AEM） 6.4.8.2', 'Adobe Experience Manager（AEM） 6.5', 'Adobe Experience Manager（AEM） 6.5.0 HOTFIX 30379', 'Adobe Experience Manager（AEM） 6.5.0 HOTFIX 31870', 'Adobe Experience Manager（AEM） 6.5.3.0', 'Adobe Experience Manager（AEM） 6.5.4.0', 'Adobe Experience Manager（AEM） 5.0', 'Adobe Experience Manager（AEM） 6.5.6.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-24444",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-24444"
    }
  },
  "description": "Adobe Experience Manager\uff08AEM\uff09\u662f\u7f8e\u56fd\u5965\u591a\u6bd4\uff08Adobe\uff09\u516c\u53f8\u7684\u4e00\u5957\u53ef\u7528\u4e8e\u6784\u5efa\u7f51\u7ad9\u3001\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u548c\u8868\u5355\u7684\u5185\u5bb9\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u65b9\u6848\u652f\u6301\u79fb\u52a8\u5185\u5bb9\u7ba1\u7406\u3001\u8425\u9500\u9500\u552e\u6d3b\u52a8\u7ba1\u7406\u548c\u591a\u7ad9\u70b9\u7ba1\u7406\u7b49\u3002\n\nAdobe Experience Manager\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u80fd\u5145\u5206\u9a8c\u8bc1\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u4f4d\u4e8e\u672c\u5730\u7f51\u7edc\u4e2d\u7684\u654f\u611f\u6570\u636e\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://helpx.adobe.com/security/products/experience-manager/apsb20-72.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-02376",
  "openTime": "2021-01-13",
  "patchDescription": "Adobe Experience Manager\uff08AEM\uff09\u662f\u7f8e\u56fd\u5965\u591a\u6bd4\uff08Adobe\uff09\u516c\u53f8\u7684\u4e00\u5957\u53ef\u7528\u4e8e\u6784\u5efa\u7f51\u7ad9\u3001\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u548c\u8868\u5355\u7684\u5185\u5bb9\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u65b9\u6848\u652f\u6301\u79fb\u52a8\u5185\u5bb9\u7ba1\u7406\u3001\u8425\u9500\u9500\u552e\u6d3b\u52a8\u7ba1\u7406\u548c\u591a\u7ad9\u70b9\u7ba1\u7406\u7b49\u3002\r\n\r\nAdobe Experience Manager\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u80fd\u5145\u5206\u9a8c\u8bc1\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u4f4d\u4e8e\u672c\u5730\u7f51\u7edc\u4e2d\u7684\u654f\u611f\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Adobe Experience Manager\u76f2\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Adobe Experience Manager\uff08AEM\uff09 6.0",
      "Adobe Experience Manager\uff08AEM\uff09 6.0 HOTFIX 25133",
      "Adobe Experience Manager\uff08AEM\uff09 6.1",
      "Adobe Experience Manager\uff08AEM\uff09 6.1-SP2-CFP17",
      "Adobe Experience Manager\uff08AEM\uff09 6.2",
      "Adobe Experience Manager\uff08AEM\uff09 6.2-SP1-CFP15",
      "Adobe Experience Manager\uff08AEM\uff09 6.3",
      "Adobe Experience Manager\uff08AEM\uff09 6.3.1.0",
      "Adobe Experience Manager\uff08AEM\uff09 6.3.2.0",
      "Adobe Experience Manager\uff08AEM\uff09 6.3.2.2",
      "Adobe Experience Manager\uff08AEM\uff09 6.3.3.0",
      "Adobe Experience Manager\uff08AEM\uff09 6.3.3.2",
      "Adobe Experience Manager\uff08AEM\uff09 6.3.3.7",
      "Adobe Experience Manager\uff08AEM\uff09 6.3.3.8",
      "Adobe Experience Manager\uff08AEM\uff09 6.4",
      "Adobe Experience Manager\uff08AEM\uff09 6.4.0",
      "Adobe Experience Manager\uff08AEM\uff09 6.4.0 HOTFIX 30379",
      "Adobe Experience Manager\uff08AEM\uff09 6.4.0 HOTFIX 31868",
      "Adobe Experience Manager\uff08AEM\uff09  1.0",
      "Adobe Experience Manager\uff08AEM\uff09 6.4.2.0",
      "Adobe Experience Manager\uff08AEM\uff09 6.4.3.0",
      "Adobe Experience Manager\uff08AEM\uff09 6.4.7.0",
      "Adobe Experience Manager\uff08AEM\uff09 6.4.8.0",
      "Adobe Experience Manager\uff08AEM\uff09 6.4.8.1",
      "Adobe Experience Manager\uff08AEM\uff09 6.4.8.2",
      "Adobe Experience Manager\uff08AEM\uff09 6.5",
      "Adobe Experience Manager\uff08AEM\uff09 6.5.0 HOTFIX 30379",
      "Adobe Experience Manager\uff08AEM\uff09 6.5.0 HOTFIX 31870",
      "Adobe Experience Manager\uff08AEM\uff09 6.5.3.0",
      "Adobe Experience Manager\uff08AEM\uff09 6.5.4.0",
      "Adobe Experience Manager\uff08AEM\uff09  5.0",
      "Adobe Experience Manager\uff08AEM\uff09 6.5.6.0"
    ]
  },
  "referenceLink": "https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html",
  "serverity": "\u4e2d",
  "submitTime": "2020-12-15",
  "title": "Adobe Experience Manager\u76f2\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

CVE-2020-24444 (GCVE-0-2020-24444)

Vulnerability from cvelistv5

Published

2020-12-10 05:32

Modified

2024-09-17 01:11

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF) ()

Summary

AEM Forms SP6 add-on for AEM 6.5.6.0 and Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) have a blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability could be exploited by an unauthenticated attacker to gather information about internal systems that reside on the same network.

References

▼	URL	Tags
	https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Adobe	Experience Manager	Version: <= Forms SP6 add-on for AEM 6.5.6.0 Version: <= Forms SP8 add-on for AEM 6.4.8.2 Version: <= None

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:12:08.932Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Experience Manager",
          "vendor": "Adobe",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= Forms SP6 add-on for AEM 6.5.6.0"
            },
            {
              "status": "affected",
              "version": "\u003c= Forms SP8 add-on for AEM 6.4.8.2"
            },
            {
              "status": "affected",
              "version": "\u003c= None"
            }
          ]
        }
      ],
      "datePublic": "2020-12-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "AEM Forms SP6 add-on for AEM 6.5.6.0 and Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) have a blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability could be exploited by an unauthenticated attacker to gather information about internal systems that reside on the same network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "Server-Side Request Forgery (SSRF) (CWE-918)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-10T05:32:53",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Blind SSRF in Forms add-on for AEM",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@adobe.com",
          "DATE_PUBLIC": "2020-12-08T23:00:00.000Z",
          "ID": "CVE-2020-24444",
          "STATE": "PUBLIC",
          "TITLE": "Blind SSRF in Forms add-on for AEM"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Experience Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c= Forms SP6 add-on for AEM 6.5.6.0"
                          },
                          {
                            "version_value": "\u003c= Forms SP8 add-on for AEM 6.4.8.2"
                          },
                          {
                            "version_value": "\u003c= None"
                          },
                          {
                            "version_value": "\u003c= None"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Adobe"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "AEM Forms SP6 add-on for AEM 6.5.6.0 and Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) have a blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability could be exploited by an unauthenticated attacker to gather information about internal systems that reside on the same network."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "availabilityImpact": "None",
            "baseScore": 5.8,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "Changed",
            "userInteraction": "None",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Server-Side Request Forgery (SSRF) (CWE-918)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html",
              "refsource": "CONFIRM",
              "url": "https://helpx.adobe.com/security/products/experience-manager/apsb20-72.html"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2020-24444",
    "datePublished": "2020-12-10T05:32:53.787246Z",
    "dateReserved": "2020-08-19T00:00:00",
    "dateUpdated": "2024-09-17T01:11:53.601Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted