CVE-2020-15390
📋 TL;DR
CVE-2020-15390 is an improper access control vulnerability in Pega Platform's pyActivity component that allows unauthenticated attackers to access sensitive system information via the =GetWebInfo parameter. This affects Pega Platform 8.4.0.237 installations, potentially exposing configuration details, user data, and system information to remote attackers.
💻 Affected Systems
- Pega Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through information disclosure leading to further attacks, credential theft, and unauthorized access to sensitive business data.
Likely Case
Sensitive information disclosure including system configurations, user details, and potentially credentials that could enable lateral movement or privilege escalation.
If Mitigated
Limited impact with proper network segmentation and access controls, though information disclosure still occurs.
🎯 Exploit Status
The exploit requires simple HTTP requests to the vulnerable endpoint. Public proof-of-concept demonstrates easy exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.4.1 and later
Vendor Advisory: https://www.pega.com/products/pega-platform/security-advisories
Restart Required: Yes
Instructions:
1. Upgrade to Pega Platform 8.4.1 or later. 2. Apply the security patch from Pega's official repository. 3. Restart the Pega Platform services. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to the vulnerable endpoint using network firewalls or web application firewalls.
# Configure firewall to block access to /prweb/PRRestService/* endpoints
# Implement WAF rules to block requests containing =GetWebInfo
Input Validation
allImplement input validation to reject requests containing the =GetWebInfo parameter.
# Configure Pega Platform to reject requests with =GetWebInfo parameter
# Implement custom validation rules in the application layer
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Pega Platform from untrusted networks
- Deploy a web application firewall with rules to block requests containing =GetWebInfo
🔍 How to Verify
Check if Vulnerable:
Send an HTTP request to the vulnerable endpoint: GET /prweb/PRRestService/pyActivity?pyActivity=GetWebInfo and check if sensitive information is returned.Check Version:
Check Pega Platform version in the administration console or via system propertiesVerify Fix Applied:
After patching, attempt the same request and verify that no sensitive information is disclosed and appropriate access controls are enforced.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '=GetWebInfo' in the URL
- Unusual access patterns to pyActivity endpoints
- Large volume of requests to sensitive endpoints
Network Indicators:
- HTTP GET requests to /prweb/PRRestService/pyActivity with =GetWebInfo parameter
- Unusual outbound data transfers following access to vulnerable endpoint
SIEM Query:
source="web_server" AND url="*pyActivity*" AND url="*=GetWebInfo*"