Vulnerabilities > CVE-2020-15087 - Unspecified vulnerability in Prestosql Presto

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

prestosql

NVD

Published: 2020-06-30

Updated: 2022-10-21

Summary

In Presto before version 337, authenticated users can bypass authorization checks by directly accessing internal APIs. This impacts Presto server installations with secure internal communication configured. This does not affect installations that have not configured secure internal communication, as these installations are inherently insecure. This only affects Presto server installations. This does NOT affect clients such as the CLI or JDBC driver. This vulnerability has been fixed in version 337. Additionally, this issue can be mitigated by blocking network access to internal APIs on the coordinator and workers.

Vulnerable Configurations

Part	Description	Count
Application	Prestosql Prestosql Presto 318 Prestosql Presto 319 Prestosql Presto 320 Prestosql Presto 321 Prestosql Presto 322 Prestosql Presto 323 Prestosql Presto 324 Prestosql Presto 325 Prestosql Presto 326 Prestosql Presto 327 Prestosql Presto 328 Prestosql Presto 329 Prestosql Presto 330 Prestosql Presto 331 Prestosql Presto 332 Prestosql Presto 333 Prestosql Presto 334 Prestosql Presto 335 Prestosql Presto 336	19

Summary

Vulnerable Configurations

References