Revisions
- 1.0: May 11, 2020, Initial release
- 1.1: June 4, 2020, Corrected initial release date
Summary
APTARE version 10.4 contains fixes to several security issues. It is recommended that Veritas customers update APTARE software to the latest 10.4 release.
Description
APTARE 10.4 address the following security vulnerabilities:
| Issue | Description | Severity | Fixed version |
|---|---|---|---|
|
1 |
High |
10.4 |
|
|
2 |
Medium |
10.4 |
|
|
3 |
Medium |
10.4 |
|
|
4 |
Medium |
10.4 |
Issues
Issue #1
Sensitive Information Disclosure
- CVE ID: CVE-2020-12874
- Severity: High
- CVSS v3.1 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
APTARE versions prior to 10.4 allowed sensitive information to be accessible without authentication.
Issue #2
Authentication Weakness
- CVE ID: CVE-2020-12875
- Severity: Medium
- CVSS v3.1 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
APTARE versions prior to 10.4 included code that bypassed the normal login process when specific authentication credentials were provided to the server.
Issue #3
Authorization Bypass
- CVE ID: CVE-2020-12876
- Severity: Medium
- CVSS v3.1 Base Score: 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
APTARE versions prior to 10.4 did not perform adequate authorization checks. An authenticated user could gain unauthorized access to sensitive information or functionality by manipulating specific parameters within the application.
Issue #4
Information Disclosure
- CVE ID: CVE-2020-12877
- Severity: Medium
- CVSS v3.1 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
APTARE versions prior to 10.4 allowed remote users to access several unintended files on the server. This vulnerability only impacted Windows server deployments.