Skip to main content

Cloud CVE-2019-9945

CRITICAL
2019-03-23 cve@mitre.org
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 23, 2019 - 16:29 nvd
CRITICAL 9.8

DescriptionNVD

SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user credentials. If customers have not followed SoftNAS deployment best practices and expose SoftNAS StorageCenter ports directly to the internet, this vulnerability allows an attacker to gain access to the Webadmin interface to create new users or execute arbitrary commands with administrative privileges, compromising both the platform and the data.

AnalysisAI

SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user credentials. If customers have not followed SoftNAS deployment best practices and expose SoftNAS StorageCenter ports directly to the internet, this vulnerability allows an attacker to gain access to the Webadmin interface to create new users or execute arbitrary commands with administrative privileges, compromising both the platform and the data. Affected products include: Softnas Cloud.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Cloud

View all
CVE-2023-46214 HIGH POC
8.8 Nov 16

In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet la

CVE-2018-14417 CRITICAL POC
9.8 Aug 04

A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. Rated criti

CVE-2023-22951 HIGH POC
8.8 Apr 13

An issue was discovered in TigerGraph Enterprise Free Edition 3.x. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2014-3476 MEDIUM POC
6.0 Jun 17

OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle c

CVE-2020-15506 CRITICAL
9.8 Jul 07

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,

CVE-2025-11919 CRITICAL
9.6 Jun 26

Code execution against the shared multi-tenant Java runtime in Wolfram Cloud 14.2 is possible because the default JVM re

CVE-2023-22949 MEDIUM POC
4.9 Apr 14

An issue was discovered in TigerGraph Enterprise Free Edition 3.x. Rated medium severity (CVSS 4.9), this vulnerability

CVE-2013-4365 HIGH
7.5 Oct 17

Heap-based buffer overflow in the fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3

CVE-2023-32764 HIGH
7.8 Aug 03

Fabasoft Cloud Enterprise Client 23.3.0.130 allows a user to escalate their privileges to local administrator. Rated hig

CVE-2024-36982 HIGH
7.5 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9

CVE-2023-42578 HIGH
7.5 Dec 05

Improper handling of insufficient permissions or privileges vulnerability in Samsung Data Store prior to version 5.2.00.

CVE-2022-33713 HIGH
7.5 Jul 12

Implicit Intent hijacking vulnerability in Samsung Cloud prior to version 5.2.0 allows attacker to get sensitive informa

Share

CVE-2019-9945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy