CVE-2020-12148

Опубликовано: 11 дек. 2020

Источник: nvd

CVSS3: 6.8

CVSS2: 8.5

EPSS Низкий

Описание

A command injection flaw identified in the nslookup API in Silver Peak Unity ECOSTM (ECOS) appliance software could allow an attacker to execute arbitrary commands with the privileges of the web server running on the EdgeConnect appliance. An attacker could exploit this vulnerability to establish an interactive channel, effectively taking control of the target system. This vulnerability can be exploited by an attacker with authenticated access to the Orchestrator UI or EdgeConnect UI. This affects all ECOS versions prior to : 8.1.9.15, 8.3.0.8, 8.3.1.2, 8.3.2.0, 9.0.2.0, and 9.1.0.0.

Ссылки

https://www.silver-peak.com/support/user-documentation/security-advisories
Vendor Advisory
https://www.silver-peak.com/support/user-documentation/security-advisories
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

Одно из

cpe:2.3:a:arubanetworks:edgeconnect_enterprise:*:*:*:*:*:*:*:*

Версия от 8.1 (включая) до 8.1.9.15 (исключая)

cpe:2.3:a:arubanetworks:edgeconnect_enterprise:*:*:*:*:*:*:*:*

Версия от 8.3.0 (включая) до 8.3.0.8 (исключая)

cpe:2.3:a:arubanetworks:edgeconnect_enterprise:*:*:*:*:*:*:*:*

Версия от 8.3.1 (включая) до 8.3.1.2 (исключая)

cpe:2.3:a:arubanetworks:edgeconnect_enterprise:*:*:*:*:*:*:*:*

Версия от 9.0 (включая) до 9.0.2.0 (исключая)

Одно из

cpe:2.3:a:arubanetworks:vx-1000:-:*:*:*:*:*:*:*

cpe:2.3:a:arubanetworks:vx-2000:-:*:*:*:*:*:*:*

cpe:2.3:a:arubanetworks:vx-3000:-:*:*:*:*:*:*:*

cpe:2.3:a:arubanetworks:vx-500:-:*:*:*:*:*:*:*

cpe:2.3:a:arubanetworks:vx-5000:-:*:*:*:*:*:*:*

cpe:2.3:a:arubanetworks:vx-6000:-:*:*:*:*:*:*:*

cpe:2.3:a:arubanetworks:vx-7000:-:*:*:*:*:*:*:*

cpe:2.3:a:arubanetworks:vx-8000:-:*:*:*:*:*:*:*

cpe:2.3:a:arubanetworks:vx-9000:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:nx-10700:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:nx-11700:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:nx-1700:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:nx-2700:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:nx-3700:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:nx-5700:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:nx-6700:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:nx-700:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:nx-7700:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:nx-8700:-:*:*:*:*:*:*:*

cpe:2.3:h:arubanetworks:nx-9700:-:*:*:*:*:*:*:*

EPSS

Процентиль: 48%

0.00251

Низкий

6.8 Medium

CVSS3

8.5 High

CVSS2

Дефекты

CWE-78

Связанные уязвимости

GHSA-r63f-xx72-hrcw

CVSS3: 6.8

github

больше 3 лет назад

A command injection flaw identified in the nslookup API in Silver Peak Unity ECOSTM (ECOS) appliance software could allow an attacker to execute arbitrary commands with the privileges of the web server running on the EdgeConnect appliance. An attacker could exploit this vulnerability to establish an interactive channel, effectively taking control of the target system. This vulnerability can be exploited by an attacker with authenticated access to the Orchestrator UI or EdgeConnect UI. This affects all current ECOS versions: 8.1.9.15, 8.3.0.8, 8.3.1.2, 8.3.2.0, 9.0.2.0, and 9.1.0.0.

BDU:2023-08098

CVSS3: 6.8

fstec

около 5 лет назад

Уязвимость веб-интерфейса управления платформы централизованного управления сетью Aruba EdgeConnect Enterprise, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 48%

0.00251

Низкий

6.8 Medium

CVSS3

8.5 High

CVSS2

Дефекты

CWE-78