cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CVE-2020-12081 Remediated in FlexNet Publisher

CVE-2020-12081 Remediated in FlexNet Publisher

Summary

A Disclosure of sensitive information vulnerability existed in lmadmin systems. The web portal link can be used to access to system files or other important files on the system. The vulnerability was discovered in FlexNet Publisher's lmadmin 11.14.0.2.

If you do not distribute lmadmin to your customers, there is no further action on your part. If you do, you must distribute to those same customers the security update mentioned in the Resolution section of this article.The vulnerability will not impact lmadmin if started without integrated web server.

Symptoms

**** Only the following information is permitted to be distributed to users of products enabled with FlexNet Publisher:

- CVE number (if available)

- CWE ID

- CVSS scores

- Any publicly available information

****

Through lmadmin provided web portal the user can access unconditionally the files located at out of the installation path. The information in these files can be compromised. This vulnerability has been assigned the ID of CVE-2020-12081. The CVSS v2 base score for this vulnerability is 6.2; that is, medium severity.

Resolution

The lmadmin functionality has been enhanced to access the files which are relative to the lmadmin installation location.

The FlexNet Publisher 2016 R2 SP2 (11.14.1.2) and later address the security vulnerability and will be available on the Product and License Center. We advise all FlexNet Publisher customers update lmadmin binary to FlexNet Publisher 2016 R2 SP2 or later. As good practice, we advise customers to expose lmadmin to only a trusted network. This will reduce the attack vector to only those attackers who have access to that trusted network.

Additional Information

For identifying this vulnerability and disclosing it to Revenera under a responsible disclosure process, we'd like to thank the team members of TIM S.p.A - TIM Security Red Team Research:

  • Alessandro Bosco
  • Luca Di Giuseppe
  • Alessandro Sabetta

Related Documents

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12081

Labels (3)
Was this article helpful? Yes No
No ratings
Version history
Revision #:
1 of 1
Last update:
‎Jul 05, 2020 04:20 PM
Updated by:
 
Contributors