CVE-2020-12145
MEDIUMSilver Peak Unity Orchestrator < 8.9.11+ - Improper Authentication via HTTP Host Header
Title source: llmDescription
Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+ uses HTTP headers to authenticate REST API calls from localhost. This makes it possible to log in to Orchestrator by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances that are hosted by customers –on-premise or in a public cloud provider –are affected by this vulnerability.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://www.silver-peak.com/support/user-documentation/security-advisories
Scores
CVSS v3
6.6
EPSS
0.0605
EPSS Percentile
92.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
silver-peak/unity_orchestrator
< 8.9.11\+
Published
Nov 05, 2020
Tracked Since
Feb 18, 2026