SB2019082607 - Multiple vulnerabilities in Enterprise NFV Infrastructure Software
Published: August 26, 2019
Security Bulletin ID
SB2019082607
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2019-1984)
The vulnerability allows a remote attacker to overwrite files on the underlying operating system (OS) of an affected device.
The vulnerability exists due to improper input validation in an NFVIS file-system command. A remote authenticated administrator can use specially crafted variables during the execution of an affected command and overwrite arbitrary files on the underlying OS.
2) File and Directory Information Exposure (CVE-ID: CVE-2019-12623)
The vulnerability allows a remote attacker to perform file enumeration on an affected system.
The vulnerability exists in the web server functionality due to the web server responds with different error codes for exist and non-exist files. A remote attacker can send specially crafted GET requests for different file names and enumerate files residing on the system.
Remediation
Install update from vendor's website.