Published: 10/07/2020 Updated: 15/07/2020

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.8 | Impact Score: 4 | Exploitability Score: 2.2

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Bareos before version 19.2.8 and previous versions allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the directors original challenge. This is fixed in version 19.2.8.

Vulnerable Product	Search on Vulmon	Subscribe to Product
bareos bareos
bareos bareos 19.2.8

Debian Bug report logs - #965985 CVE-2020-4042 / CVE-2020-11061 Package: src:bareos; Maintainer for src:bareos is Bareos Packaging Team <team+bareos@trackerdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Tue, 21 Jul 2020 19:36:01 UTC Severity: grave Tags: security, upstream Found in versions bar ...

Debian Bug report logs - #968957 bareos: CVE-2020-11061 Package: src:bareos; Maintainer for src:bareos is Bareos Packaging Team <team+bareos@trackerdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Tue, 21 Jul 2020 19:36:01 UTC Severity: grave Tags: security, upstream Found in versions bareos/172 ...

CWE-294 https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752 https://bugs.bareos.org/view.php?id=1250 https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965985

CVE-2020-4042

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect