CVE-2020-15882 – This CVE describes a Cross-Site Request Forgery... (How to Fix)

Q: What is the severity of CVE-2020-15882?

CVE-2020-15882 has a CVSS score of 8.1 (HIGH). This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in MunkiReport's machine deletion endpoint. Attackers can trick authenticated users into unknowingly deleting arbitrary machines from the MunkiReport database. Organizations running MunkiReport versions before 5.6.3 are affected.

📋 TL;DR

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in MunkiReport's machine deletion endpoint. Attackers can trick authenticated users into unknowingly deleting arbitrary machines from the MunkiReport database. Organizations running MunkiReport versions before 5.6.3 are affected.

💻 Affected Systems

Products:

MunkiReport

Versions: All versions before 5.6.3

Operating Systems: Any OS running MunkiReport (typically macOS, Linux, Windows servers)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all MunkiReport deployments with the vulnerable endpoint accessible to authenticated users.

📦 What is this software?

Munkireport by Munkireport Project

View all CVEs affecting Munkireport →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of device inventory data, disrupting IT asset management, compliance reporting, and patch management workflows across the organization.

🟠

Likely Case

Targeted deletion of specific machines causing operational disruption, loss of historical data, and potential compliance issues for affected systems.

🟢

If Mitigated

No impact if proper CSRF protections are implemented and users follow security best practices.

🌐 Internet-Facing: HIGH if MunkiReport is exposed to the internet, as attackers can craft malicious web pages to exploit the vulnerability.

🏢 Internal Only: MEDIUM as exploitation requires an authenticated user to visit a malicious page, but internal threats or compromised internal systems could still trigger the attack.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires an authenticated user to visit a malicious webpage. The vulnerability is well-documented in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.6.3

Vendor Advisory: https://github.com/munkireport/munkireport-php/wiki/20200722-CSRF-Bypass-On-Endpoints-With-No-Body-Parameters

Restart Required: No

Instructions:

1. Backup your current MunkiReport installation and database. 2. Download MunkiReport version 5.6.3 or later from the official GitHub releases. 3. Replace the existing MunkiReport files with the patched version. 4. Verify the update by checking the version in the MunkiReport interface.

🔧 Temporary Workarounds

Implement CSRF Tokens Manually

all

Add CSRF protection to the vulnerable endpoint by implementing anti-CSRF tokens in forms and validating them server-side.

Restrict Access to Management Interface

all

Limit access to the MunkiReport management interface to trusted networks or IP addresses only.

🧯 If You Can't Patch

Implement network segmentation to restrict access to MunkiReport management interface to authorized users only.
Educate users about CSRF risks and advise them to log out of MunkiReport when not in use or use separate browser profiles.

🔍 How to Verify

Check if Vulnerable:

Check your MunkiReport version via the web interface or by examining the installation files. If version is below 5.6.3, you are vulnerable.

Check Version:

Check the MunkiReport web interface dashboard or examine the version.php file in the installation directory.

Verify Fix Applied:

After updating, confirm the version shows 5.6.3 or higher in the MunkiReport interface. Test that CSRF tokens are now required for machine deletion actions.

📡 Detection & Monitoring

Log Indicators:

Unexpected DELETE requests to /manager/delete_machine/ endpoints from unusual IP addresses or user agents
Multiple machine deletion events in quick succession

Network Indicators:

HTTP POST/DELETE requests to vulnerable endpoint without proper Referer headers or CSRF tokens

SIEM Query:

source="munki_report_logs" AND (uri_path="/manager/delete_machine/" AND http_method="DELETE") | stats count by src_ip, user_agent

📊 Metadata

CVE ID: CVE-2020-15882

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CWE: CWE-352

Published: July 23, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/munkireport/munkireport-php/releases Release Notes,Third Party Advisory
https://github.com/munkireport/munkireport-php/releases/tag/v5.6.3 Release Notes,Third Party Advisory
https://github.com/munkireport/munkireport-php/wiki/20200722-CSRF-Bypass-On-Endpoints-With-No-Body-Parameters Third Party Advisory
https://github.com/munkireport/munkireport-php/releases Release Notes,Third Party Advisory
https://github.com/munkireport/munkireport-php/releases/tag/v5.6.3 Release Notes,Third Party Advisory
https://github.com/munkireport/munkireport-php/wiki/20200722-CSRF-Bypass-On-Endpoints-With-No-Body-Parameters Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15882, you might also want to check these: