CVE-2020-12145

Published: Nov 5, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted by customers –on-premise or in a public cloud provider –are affected by this vulnerability.

Affected (3)

Products: Silver Peak: Unity Orchestrator

1 product

Unity Orchestrator

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Silver Peak Unity Orchestrator	Before 8.9.11\+
Silver Peak Unity Orchestrator	From 8.10 to 8.10.11\+
Silver Peak Unity Orchestrator	From 9.0 to 9.0.1\+

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (2)

https://www.silver-peak.com/support/user-documentation/security-advisories

Source: sirt@silver-peak.com

Vendor Advisory

https://www.silver-peak.com/support/user-documentation/security-advisories

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.