Controller
CVE-2024-50603
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
AnalysisAI
Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996 contains an OS command injection via improper neutralization of special elements in the /v1/api endpoint, allowing unauthenticated remote code execution.
Technical ContextAI
The CWE-78 command injection in the list_flightpath_destination_instances and src_cloud_type parameters of /v1/api fails to sanitize shell metacharacters. Attackers inject OS commands that execute with the privileges of the Aviatrix Controller process.
RemediationAI
Update Aviatrix Controller immediately. Rotate all cloud API credentials accessible from the controller. Review cloud network configurations for unauthorized modifications. Restrict controller management interface access.
More in Controller
View allAn issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Rated critical severity (CVSS 9.8), this vulner
An issue was discovered in Aviatrix Controller before R6.0.2483. Rated critical severity (CVSS 9.8), this vulnerability
An Elevation of Privilege issue was discovered in Aviatrix VPN Client before 2.10.7, because of an incomplete fix for CV
An issue was discovered in Aviatrix Controller before R5.4.1290. Rated high severity (CVSS 8.8), this vulnerability is r
An issue was discovered in Aviatrix Controller before R6.0.2483. Rated high severity (CVSS 7.5), this vulnerability is r
An issue was discovered in Aviatrix Controller before R5.3.1151. Rated high severity (CVSS 7.5), this vulnerability is r
An issue was discovered in Aviatrix Controller before R5.3.1151. Rated high severity (CVSS 7.5), this vulnerability is r
An issue was discovered in Aviatrix Controller before R5.4.1290. Rated high severity (CVSS 7.5), this vulnerability is r
An issue was discovered in Aviatrix Controller through 5.1. Rated high severity (CVSS 7.5), this vulnerability is remote
An issue was discovered in Aviatrix Controller before 5.4.1204. Rated high severity (CVSS 7.5), this vulnerability is re
An issue was discovered in Aviatrix Controller before 5.4.1204. Rated medium severity (CVSS 5.3), this vulnerability is
IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 is vulnerable to unrestricted deserialization.
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today