Security Vulnerabilities - CVEs Published In March 2020
VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a use-after vulnerability in vmnetdhcp. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine.
CVSS Score
8.8
EPSS Score
0.004
Published
2020-03-16
Linux Guest VMs running on VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. Local attackers with non-administrative access to a Linux guest VM with virtual printing enabled may exploit this issue to elevate their privileges to root on the same guest VM.
CVSS Score
7.8
EPSS Score
0.0
Published
2020-03-16
index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.
CVSS Score
7.2
EPSS Score
0.798
Published
2020-03-16
CVE-2020-5847
Unraid through 6.8.0 allows Remote Code Execution.
Known exploited
CVSS Score
9.8
EPSS Score
0.935
Published
2020-03-16
CVE-2020-5849
Unraid 6.8.0 allows authentication bypass.
Known exploited
CVSS Score
7.5
EPSS Score
0.937
Published
2020-03-16
Nagios NRPE 3.2.1 has Insufficient Filtering because, for example, nasty_metachars interprets \n as the character \ and the character n (not as the \n newline sequence). This can cause command injection.
CVSS Score
7.3
EPSS Score
0.003
Published
2020-03-16
Nagios NRPE 3.2.1 has a Heap-Based Buffer Overflow, as demonstrated by interpretation of a small negative number as a large positive number during a bzero call.
CVSS Score
7.5
EPSS Score
0.016
Published
2020-03-16
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
CVSS Score
3.9
EPSS Score
0.001
Published
2020-03-16
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
CVSS Score
3.9
EPSS Score
0.0
Published
2020-03-16
Nagios Log Server 2.1.3 has Incorrect Access Control.
CVSS Score
6.5
EPSS Score
0.005
Published
2020-03-16