CVE-2020-36623 - Vulnerability Details - OpenCVE

A vulnerability was found in Pengu. It has been declared as problematic. Affected by this vulnerability is the function runApp of the file src/index.js. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The name of the patch is aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216475.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Pengu Project	Pengu

Configuration 1 [-]

cpe:2.3:a:pengu_project:pengu:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/jtojnar/pengu/commit/aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91
https://vuldb.com/?id.216475

History

Tue, 15 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2022-12-21T00:00:00.000Z

Updated: 2025-04-15T12:55:49.525Z

Reserved: 2022-12-21T00:00:00.000Z

Link: CVE-2020-36623

Vulnrichment

Updated: 2024-08-04T17:30:08.422Z

NVD

Status : Modified

Published: 2022-12-21T19:15:12.227

Modified: 2024-11-21T05:29:55.100

Link: CVE-2020-36623

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-36623", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "dateUpdated": "2025-04-15T12:55:49.525Z", "dateReserved": "2022-12-21T00:00:00.000Z", "datePublished": "2022-12-21T00:00:00.000Z"}, "containers": {"cna": {"title": "Pengu index.js runApp cross-site request forgery", "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2022-12-21T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability was found in Pengu. It has been declared as problematic. Affected by this vulnerability is the function runApp of the file src/index.js. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The name of the patch is aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216475."}], "affected": [{"vendor": "unspecified", "product": "Pengu", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/jtojnar/pengu/commit/aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91"}, {"url": "https://vuldb.com/?id.216475"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-863 Incorrect Authorization -> CWE-862 Missing Authorization -> CWE-352 Cross-Site Request Forgery", "cweId": "CWE-863"}]}], "x_generator": "vuldb.com"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:30:08.422Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/jtojnar/pengu/commit/aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91", "tags": ["x_transferred"]}, {"url": "https://vuldb.com/?id.216475", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-14T17:00:32.168278Z", "id": "CVE-2020-36623", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-15T12:55:49.525Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-36623", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "dateUpdated": "2025-04-15T12:55:49.525Z", "dateReserved": "2022-12-21T00:00:00.000Z", "datePublished": "2022-12-21T00:00:00.000Z"}, "containers": {"cna": {"title": "Pengu index.js runApp cross-site request forgery", "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2022-12-21T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability was found in Pengu. It has been declared as problematic. Affected by this vulnerability is the function runApp of the file src/index.js. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The name of the patch is aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216475."}], "affected": [{"vendor": "unspecified", "product": "Pengu", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/jtojnar/pengu/commit/aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91"}, {"url": "https://vuldb.com/?id.216475"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-863 Incorrect Authorization -> CWE-862 Missing Authorization -> CWE-352 Cross-Site Request Forgery", "cweId": "CWE-863"}]}], "x_generator": "vuldb.com"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:30:08.422Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/jtojnar/pengu/commit/aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91", "tags": ["x_transferred"]}, {"url": "https://vuldb.com/?id.216475", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-36623", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-14T17:00:32.168278Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T17:00:34.256Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pengu_project:pengu:*:*:*:*:*:*:*:*", "matchCriteriaId": "69657BC6-E5C0-4D73-A890-093ACB51853E", "versionEndExcluding": "2020-11-02", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Pengu. It has been declared as problematic. Affected by this vulnerability is the function runApp of the file src/index.js. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The name of the patch is aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216475."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Pengu. Ha sido declarada problem\u00e1tica. La funci\u00f3n runApp del archivo src/index.js es afectada por esta vulnerabilidad. La manipulaci\u00f3n conduce a la Cross-Site Request Forgery (CSRF). El ataque se puede lanzar de forma remota. El nombre del parche es aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91. Se recomienda aplicar un parche para solucionar este problema. El identificador asociado de esta vulnerabilidad es VDB-216475."}], "id": "CVE-2020-36623", "lastModified": "2024-11-21T05:29:55.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-21T19:15:12.227", "references": [{"source": "cna@vuldb.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jtojnar/pengu/commit/aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.216475"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jtojnar/pengu/commit/aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.216475"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}