The configuration backup/restore function in Silver Peak Unity ECOSTM (ECOS) appliance software was found to directly incorporate the user-controlled config filename in a subsequent shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. This vulnerability can be exploited by an attacker with authenticated access to the Orchestrator UI or EdgeConnect UI. This affects all ECOS versions prior to: 8.1.9.15, 8.3.0.8, 8.3.1.2, 8.3.2.0, 9.0.2.0, and 9.1.0.0.
References
Link | Resource |
---|---|
https://www.silver-peak.com/support/user-documentation/security-advisories | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Silver Peak
Published: 2020-11-30T00:00:00
Updated: 2020-12-15T16:14:01
Reserved: 2020-04-24T00:00:00
Link: CVE-2020-12149
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-12-11T16:15:11.807
Modified: 2023-11-07T21:16:04.017
Link: CVE-2020-12149
JSON object: View
Redhat Information
No data.
CWE