CVE-2020-7035 : What You Need to Know

An XML External Entities (XXE) vulnerability in the web-based user interface of Avaya Aura Orchestration Designer could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Orchestration Designer include all 7.x versions before 7.2.3.

Understanding CVE-2020-7035

This CVE involves a security vulnerability in Avaya Aura Orchestration Designer that could be exploited by a remote attacker to access sensitive information.

What is CVE-2020-7035?

CVE-2020-7035 is an XXE vulnerability in Avaya Aura Orchestration Designer, allowing unauthorized access to system information.

The Impact of CVE-2020-7035

The vulnerability poses a high risk, with a CVSS base score of 8.1, affecting confidentiality and availability.

Technical Details of CVE-2020-7035

This section provides in-depth technical insights into the vulnerability.

Vulnerability Description

The vulnerability arises from improper handling of XML external entity references, enabling unauthorized data access.

Affected Systems and Versions

Product: Aura Orchestration Designer
Vendor: Avaya
Versions Affected: All 7.x versions prior to 7.2.3

Exploitation Mechanism

Attack Complexity: Low
Attack Vector: Network
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: High

Mitigation and Prevention

Protecting systems from CVE-2020-7035 requires immediate actions and long-term security measures.

Immediate Steps to Take

Update Avaya Aura Orchestration Designer to version 7.2.3 or higher.
Monitor system logs for any suspicious activities.
Restrict network access to the affected system.

Long-Term Security Practices

Conduct regular security assessments and audits.
Educate users on safe browsing habits and phishing awareness.
Implement network segmentation to contain potential attacks.

Patching and Updates

Apply security patches provided by Avaya promptly.