{"containers":{"cna":{"affected":[{"product":"Unity Orchestrator","vendor":"Silver Peak Systems, Inc.","versions":[{"status":"affected","version":"All versions affected prior to Silver Peak Unity Orchestrator 8.9.11+"},{"status":"affected","version":"8.10.11+"},{"status":"affected","version":"or 9.0.1+."}]}],"credits":[{"lang":"en","value":"This vulnerability was reported to Silver Peak by the security team at Realmode Labs."}],"datePublic":"2020-10-31T00:00:00.000Z","descriptions":[{"lang":"en","value":"Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted by customers –on-premise or in a public cloud provider –are affected by this vulnerability."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.6,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"description":"CVE-2020-12145","lang":"en","type":"text"}]},{"descriptions":[{"cweId":"CWE-287","description":"CWE-287 Improper Authentication","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2020-11-05T18:48:31.000Z","orgId":"83cc1b1a-46b0-4ac1-94f2-bbef3319bc4c","shortName":"Silver Peak"},"references":[{"tags":["x_refsource_MISC"],"url":"https://www.silver-peak.com/support/user-documentation/security-advisories"}],"solutions":[{"lang":"en","value":"Recommended Actions for Silver Peak Customers: Upgrade to Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+."}],"source":{"advisory":"Security Advisory 2020-10-31-01-001","discovery":"EXTERNAL"},"title":"Silver Peak Unity OrchestratorTM authentication can be subverted through manipulation of HTTP headers.","x_generator":{"engine":"Vulnogram 0.0.9"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"sirt@silver-peak.com","DATE_PUBLIC":"2020-10-31T16:00:00.000Z","ID":"CVE-2020-12145","STATE":"PUBLIC","TITLE":"Silver Peak Unity OrchestratorTM authentication can be subverted through manipulation of HTTP headers."},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Unity Orchestrator","version":{"version_data":[{"version_value":"All versions affected prior to Silver Peak Unity Orchestrator 8.9.11+"},{"version_value":"8.10.11+"},{"version_value":"or 9.0.1+."}]}}]},"vendor_name":"Silver Peak Systems, Inc."}]}},"credit":[{"lang":"eng","value":"This vulnerability was reported to Silver Peak by the security team at Realmode Labs."}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted by customers –on-premise or in a public cloud provider –are affected by this vulnerability."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.6,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CVE-2020-12145"}]},{"description":[{"lang":"eng","value":"CWE-287 Improper Authentication"}]}]},"references":{"reference_data":[{"name":"https://www.silver-peak.com/support/user-documentation/security-advisories","refsource":"MISC","url":"https://www.silver-peak.com/support/user-documentation/security-advisories"}]},"solution":[{"lang":"en","value":"Recommended Actions for Silver Peak Customers: Upgrade to Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+."}],"source":{"advisory":"Security Advisory 2020-10-31-01-001","discovery":"EXTERNAL"}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T11:48:58.474Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.silver-peak.com/support/user-documentation/security-advisories"}]}]},"cveMetadata":{"assignerOrgId":"83cc1b1a-46b0-4ac1-94f2-bbef3319bc4c","assignerShortName":"Silver Peak","cveId":"CVE-2020-12145","datePublished":"2020-11-05T18:48:31.021Z","dateReserved":"2020-04-24T00:00:00.000Z","dateUpdated":"2024-09-16T17:07:58.945Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}