CVE-2017-3936

Published: Jun 13, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

OS Command Injection vulnerability in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, 5.3.1, 5.1.3, 5.1.2, 5.1.1, and 5.1.0 allows attackers to run arbitrary OS commands with limited privileges via not sanitizing the user input data before exporting it into a CSV format output.

Affected (7)

Products: Mcafee: Epolicy Orchestrator

Mcafee

1 product

Epolicy Orchestrator

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Mcafee Epolicy Orchestrator	Version 5.1.0
Mcafee Epolicy Orchestrator	Version 5.1.1
Mcafee Epolicy Orchestrator	Version 5.1.2
Mcafee Epolicy Orchestrator	Version 5.1.3
Mcafee Epolicy Orchestrator	Version 5.3.1
Mcafee Epolicy Orchestrator	Version 5.3.2
Mcafee Epolicy Orchestrator	Version 5.9.0

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

http://www.securityfocus.com/bid/103155

Source: trellixpsirt@trellix.com

https://kc.mcafee.com/corporate/index?page=content&id=SB10227

Source: trellixpsirt@trellix.com

http://www.securityfocus.com/bid/103155

Source: af854a3a-2127-422b-91ae-364da2661108

https://kc.mcafee.com/corporate/index?page=content&id=SB10227

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.