CVE-2020-12149
6.8
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Exploitability: 0.9 / Impact: 5.9
Source: NVD
Description
The configuration backup/restore function in Silver Peak Unity ECOSTM (ECOS) appliance software was found to directly incorporate the user-controlled config filename in a subsequent shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. This vulnerability can be exploited by an attacker with authenticated access to the Orchestrator UI or EdgeConnect UI. This affects all ECOS versions prior to: 8.1.9.15, 8.3.0.8, 8.3.1.2, 8.3.2.0, 9.0.2.0, and 9.1.0.0.
Affected (4)
Products: Arubanetworks: Edgeconnect Enterprise
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| From 8.1 to 8.1.9.15 |
| Running on/with | Platform Versions |
|---|---|
Arubanetworks Nx 10700 | All versions |
Arubanetworks Nx 11700 | All versions |
Arubanetworks Nx 1700 | All versions |
Arubanetworks Nx 2700 | All versions |
Arubanetworks Nx 3700 | All versions |
Arubanetworks Nx 5700 | All versions |
Arubanetworks Nx 6700 | All versions |
Arubanetworks Nx 700 | All versions |
Arubanetworks Nx 7700 | All versions |
Arubanetworks Nx 8700 | All versions |
Arubanetworks Nx 9700 | All versions |
Arubanetworks Vx 1000 | All versions |
Arubanetworks Vx 2000 | All versions |
Arubanetworks Vx 3000 | All versions |
Arubanetworks Vx 500 | All versions |
Arubanetworks Vx 5000 | All versions |
Arubanetworks Vx 6000 | All versions |
Arubanetworks Vx 7000 | All versions |
Arubanetworks Vx 8000 | All versions |
Arubanetworks Vx 9000 | All versions |
Silver Peak Unity Edgeconnect | All versions |
References (2)
Source: sirt@silver-peak.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Timeline
No history available yet.