CVE-2019-17562

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-17562
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-17562.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-17562
Published
2020-05-14T17:15:11Z
Modified
2024-09-03T02:30:33.090633Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A buffer overflow vulnerability has been found in the baremetal component of Apache CloudStack. This applies to all versions prior to 4.13.1. The vulnerability is due to the lack of validation of the mac parameter in baremetal virtual router. If you insert an arbitrary shell command into the mac parameter, v-router will process the command. For example: Normal: http://{GW}:10086/baremetal/provisiondone/{mac}, Abnormal: http://{GW}:10086/baremetal/provisiondone/#';whoami;#. Mitigation of this issue is an upgrade to Apache CloudStack 4.13.1.0 or beyond.

References

Affected packages

Git / github.com/apache/cloudstack

Affected ranges

Type
GIT
Repo
https://github.com/apache/cloudstack
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

4.*

4.10.0.0
4.11.0.0
4.11.1
4.11.1.0
4.11.2.0
4.11.3.0
4.12.0.0
4.5.1
4.6.0
4.7.0
4.7.0-rc1
4.8.0
4.8.1
4.9.0
4.9.1-RC1
4.9.1.0
4.9.1.0-rc1
4.9.2.0
4.9.3.0
4.9.3.1

Other

acton-beta1-prerelease-1
ovm3
portgroup_no_gc_tag

shapeblue-4.*

shapeblue-4.5.1-00
shapeblue-4.6.0-00

tag-2.*

tag-2.2.8
tag-2.2.8.RC1
tag-2.2.8.RC2

tag-3.*

tag-3.0.1-prerelease-1