CVE-2024-50603

CRITICALCISA KEV

10.0

Descricao

An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.

Detalhes CVE

Pontuacao CVSS v3.110.0

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado1/8/2025

Ultima modificacao11/5/2025

Fontekev

Avistamentos honeypot0

CISA KEV

FornecedorAviatrix

ProdutoControllers

Nome da vulnerabilidadeAviatrix Controllers OS Command Injection Vulnerability

Data inclusao KEV2025-01-16

Prazo de remediacao2025-02-06

Uso em ransomwareUnknown

Produtos afetados

aviatrix:controller

Fraquezas (CWE)

CWE-78CWE-78

Referencias

https://docs.aviatrix.com/documentation/latest/network-security/index.html(cve@mitre.org)

https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true#remote-code-execution-vulnerability-in-aviatrix-controllers(cve@mitre.org)

https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/(cve@mitre.org)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-50603(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.