CVE-2020-12149 MEDIUM

CVE-2020-12149: OS Command Injection - Management File Upload

Vendor Silver Peak Systems, Inc.

Product ECOS

Weakness CWE-78

Published December 11, 2020

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

6.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The configuration backup/restore function in Silver Peak Unity ECOSTM (ECOS) appliance software was found to directly incorporate the user-controlled config filename in a subsequent shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. This vulnerability can be exploited by an attacker with authenticated access to the Orchestrator UI or EdgeConnect UI. This affects all ECOS versions prior to: 8.1.9.15, 8.3.0.8, 8.3.1.2, 8.3.2.0, 9.0.2.0, and 9.1.0.0.

Key dates

02Disclosure timeline

December 11, 2020 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-12149

Related vulnerabilities

Identifiers

CVE CVE-2020-12149

CWE CWE-78

CVSS 6.8 / MEDIUM

Affected versions

Vendor Silver Peak Systems, Inc.

Product ECOS

Affected All current ECOS versions prior to 8.1.9.15

Vendor Silver Peak Systems, Inc.

Product ECOS

Affected 8.3.0.8

Vendor Silver Peak Systems, Inc.

Product ECOS

Affected 8.3.1.2

Vendor Silver Peak Systems, Inc.

Product ECOS

Affected 8.3.2.0

Vendor Silver Peak Systems, Inc.

Product ECOS

Affected 9.0.2.0

Vendor Silver Peak Systems, Inc.

Product ECOS

Affected and 9.1.0.0

CVE-2020-12149: OS Command Injection - Management File Upload

01Description

02Disclosure timeline

03References

04Related CVE