Description
In OpenWrt LuCI git-20.x, remote unauthenticated attackers can retrieve the list of installed packages and services. NOTE: the vendor disputes the significance of this report because, for instances reachable by an unauthenticated actor, the same information is available in other (more complex) ways, and there is no plan to restrict the information further
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/openwrt/luci/issues/3563#issuecomment-578522860
Exploit, Third Party Advisory x_refsource_misc
https://github.com/openwrt/luci/issues/3653#issue-567892007
Exploit, Third Party Advisory x_refsource_misc
https://github.com/openwrt/luci/issues/3766
Scores
CVSS v3
5.3
EPSS
0.0168
EPSS Percentile
74.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
openwrt/luci
git-20.049.11521-bebfe20
openwrt/luci
git-20.078.22902-0ed0d42
Published
Mar 23, 2020
Tracked Since
Feb 18, 2026