8.1

CVE-2018-6961

Warnung
Exploit
VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be removing this service from the product in future releases. Successful exploitation of this issue could result in remote code execution.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMwareNsx Sd-wan By Velocloud Version < 3.1.0

25.03.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

VMware SD-WAN Edge by VeloCloud Command Injection Vulnerability

Schwachstelle

VMware SD-WAN Edge by VeloCloud contains a command injection vulnerability in the local web UI component. Successful exploitation of this issue could result in remote code execution.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 86.43% 0.997
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://www.securityfocus.com/bid/104185
Third Party Advisory
Broken Link
VDB Entry
http://www.securitytracker.com/id/1041210
Third Party Advisory
Broken Link
VDB Entry
http://www.vmware.com/security/advisories/VMSA-2018-0011.html
Vendor Advisory
https://www.exploit-db.com/exploits/44959/
Third Party Advisory
Exploit
VDB Entry
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-6961
US Government Resource