Published: 15/04/2020 Updated: 28/09/2020

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

An issue exists in DAViCal Andrew's Web Libraries (AWL) up to and including 0.60. Session management does not use a sufficiently hard-to-guess session key. Anyone who can guess the microsecond time (and the incrementing session_id) can impersonate a session.

Vulnerable Product	Search on Vulmon	Subscribe to Product
davical andrew\\'s web libraries
debian debian linux 8.0
debian debian linux 9.0
debian debian linux 10.0

Debian Bug report logs - #956650 awl: CVE-2020-11728 CVE-2020-11729 Package: src:awl; Maintainer for src:awl is Davical Development Team <davical-devel@listssourceforgenet>; Reported by: Florian Schlichting <fsfs@debianorg> Date: Mon, 13 Apr 2020 21:51:02 UTC Severity: important Tags: fixed-upstream, security, ups ...

Andrew Bartlett discovered that awl, DAViCal Andrew's Web Libraries, did not properly handle session management: this would allow a malicious user to impersonate other sessions or users For the oldstable distribution (stretch), these problems have been fixed in version 057-1+deb9u1 For the stable distribution (buster), these problems have been f ...

CWE-384 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956650 https://gitlab.com/davical-project/awl/-/issues/19 https://lists.debian.org/debian-lts-announce/2020/04/msg00011.html https://www.debian.org/security/2020/dsa-4660 https://usn.ubuntu.com/4539-1/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956650 https://www.debian.org/security/2020/dsa-4660 https://nvd.nist.gov

CVE-2020-11728

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect