Home > Vulnerability Database > CVE-2020-8445

Mend.io Vulnerability Database

CVE-2020-8445

Date: January 29, 2020

In OSSEC-HIDS 2.7 through 3.5.0, the OS_CleanMSG function in ossec-analysisd doesn't remove or encode terminal control characters or newlines from processed log messages. In many cases, those characters are later logged. Because newlines (\n) are permitted in messages processed by ossec-analysisd, it may be possible to inject nested events into the ossec log. Use of terminal control characters may allow obfuscating events or executing commands when viewed through vulnerable terminal emulators. This may be an unauthenticated remote attack for certain types and origins of logged data.

Language: C

Severity Score

9.8

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-8445

Url: https://github.com/ossec/ossec-hids/issues/1814

Url: https://www.ossec.net/

Url: https://github.com/ossec/ossec-hids/issues/1821

Url: https://security.gentoo.org/glsa/202007-33

Url: https://www.mend.io/vulnerability-database/CVE-2020-8445

Severity Score

9.8

Weakness Type (CWE)

Input Validation

CWE-20

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	10.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	COMPLETE
Integrity (I):	COMPLETE
Availability (A):	COMPLETE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-8445

Date: January 29, 2020

Language: C

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?