CVE-2020-12145

moderate-risk
Published 2020-11-05

Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted by customers –on-premise or in a public cloud provider –are affected by this vulnerability.

Do I need to act?

!
59.0% chance of exploitation in next 30 days
EPSS score — higher than 41% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.6/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Silver-Peak

References (2)

Vendor Advisory https://www.silver-peak.com/support/user-documentation/security-advisories
Vendor Advisory https://www.silver-peak.com/support/user-documentation/security-advisories
43
/ 100
moderate-risk
Severity 20/34 · Moderate
Exploitability 18/34 · Moderate
Exposure 5/34 · Minimal