Attacker Value
Very Low
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2020-14933

Disclosure Date: June 20, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as __wakeup or __destruct), and any attack-relevant classes must be declared before unserialize is called (or must be autoloaded).

Add Assessment

2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very Low
Technical Analysis

tldr

The use of unserialize in PHP that accepts user data. There is no sequence of code that can be exploited to gain code execution using this method.

Outline

Passing user-controlled data to unserialize in PHP is always a bad idea. However, in order to be exploitable there needs to be additional code that will process the data through the use of Magic Methods. There do not appear to be any dangerous methods that take this data in the current version of the PHP script.

If the base PHP version that is running this application also happens to be a version of PHP vulnerable to https://www.cvedetails.com/cve/CVE-2017-5340/ Then there is an increased possibility of gaining code execution using this methodology.

Patch

At the time of release, there is no official patch although third party patches have been made available here

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • squirrelmail

Products

  • squirrelmail 1.4.22

Additional Info

Technical Analysis