CVE-2020-11061

Source
https://cve.org/CVERecord?id=CVE-2020-11061
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11061.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-11061
Aliases
  • GHSA-mm45-cg35-54j4
Downstream
Published
2020-07-10T20:15:11.157Z
Modified
2026-07-08T06:00:21.078498180Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
Summary
[none]
Details

In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in Bareos versions 19.2.8, 18.2.9 and 17.2.10.

Database specific
{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "9.0"
                },
                {
                    "last_affected": "9.0"
                }
            ],
            "source": "CPE_STRING",
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "debian:debian_linux"
        }
    ]
}
References

Affected packages

Git / github.com/bareos/bareos

Affected ranges

Type
GIT
Repo
https://github.com/bareos/bareos
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "16.2.10"
        },
        {
            "introduced": "17.2.4"
        },
        {
            "last_affected": "17.2.9"
        },
        {
            "introduced": "18.2.5"
        },
        {
            "last_affected": "18.2.8"
        },
        {
            "introduced": "18.4.1"
        },
        {
            "last_affected": "19.2.7"
        },
        {
            "introduced": "18.2.4-rc1"
        },
        {
            "last_affected": "18.2.4-rc1"
        },
        {
            "introduced": "18.2.4-rc2"
        },
        {
            "last_affected": "18.2.4-rc2"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "cpe": [
        "cpe:2.3:a:bareos:bareos:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:bareos:bareos:18.2.4:rc1:*:*:*:*:*:*",
        "cpe:2.3:a:bareos:bareos:18.2.4:rc2:*:*:*:*:*:*"
    ]
}

Affected versions

18.*
18.2.4-rc1
18.2.4-rc2
Release/12.*
Release/12.4.0
Release/12.4.1
Release/16.*
Release/16.2.4
Release/16.2.4-rc1
Release/16.2.5
Release/16.2.5-win-installer-fix
Release/16.2.6
Release/16.2.7
Release/16.2.8
Release/16.2.9
Release/17.*
Release/17.2.4
Release/17.2.5
Release/17.2.6
Release/17.2.7
Release/17.2.8
Release/18.*
Release/18.2.4-rc1
Release/18.2.4-rc2
Release/18.2.5
Release/18.2.6
Release/18.2.7
Release/18.4.1
Release/19.*
Release/19.2.4
Release/19.2.4-rc1
Release/19.2.5
Release/19.2.6
Release/bacula-5.*
Release/bacula-5.2.13
WIP/16.*
WIP/16.2.10-pre
WIP/16.2.9-pre
WIP/17.*
WIP/17.2.9-pre
WIP/18.*
WIP/18.2.7-pre
WIP/18.2.8-pre
WIP/19.*
WIP/19.2.4-pre
WIP/19.2.5-pre
WIP/19.2.6-pre
WIP/19.2.7-pre

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11061.json"