CVE-2019-18780

Current Description

An arbitrary command injection vulnerability in the Cluster Server component of Veritas InfoScale allows an unauthenticated remote attacker to execute arbitrary commands as root or administrator. These Veritas products are affected: Access 7.4.2 and earlier, Access Appliance 7.4.2 and earlier, Flex Appliance 1.2 and earlier, InfoScale 7.3.1 and earlier, InfoScale between 7.4.0 and 7.4.1, Veritas Cluster Server (VCS) 6.2.1 and earlier on Linux/UNIX, Veritas Cluster Server (VCS) 6.1 and earlier on Windows, Storage Foundation HA (SFHA) 6.2.1 and earlier on Linux/UNIX, and Storage Foundation HA (SFHA) 6.1 and earlier on Windows.

Basic Data

PublishedNovember 05, 2019
Last ModifiedNovember 14, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-78
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score10.0
SeverityHIGH
Exploitability Score10.0
Impact Score10.0
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationVeritasAccess********7.4.2
    2.3ApplicationVeritasAccess Appliance********7.4.2
    2.3ApplicationVeritasFlex Appliance********1.2
    2.3ApplicationVeritasInfoscale********7.3.1
    2.3ApplicationVeritasInfoscale********7.4.07.4.1
  • AND
    • OR - Configuration 2
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationVeritasCluster Server********6.1
      2.3ApplicationVeritasStorage Foundation Ha********6.1
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSMicrosoftWindows-*******
  • AND
    • OR - Configuration 3
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationVeritasCluster Server********6.2.1
      2.3ApplicationVeritasStorage Foundation Ha********6.2.1
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSLinuxLinux Kernel-*******

Vulnerable Software List

VendorProductVersions
Veritas Access Appliance *
Veritas Flex Appliance *
Veritas Infoscale *
Veritas Cluster Server *
Veritas Storage Foundation Ha *
Veritas Access *

References

NameSourceURLTags
https://www.veritas.com/content/support/en_US/security/VTS19-003https://www.veritas.com/content/support/en_US/security/VTS19-003MISCPatch Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS19-004https://www.veritas.com/content/support/en_US/security/VTS19-004MISCPatch Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS19-005https://www.veritas.com/content/support/en_US/security/VTS19-005MISCPatch Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS19-006https://www.veritas.com/content/support/en_US/security/VTS19-006MISCPatch Vendor Advisory