#VU21396 OS Command Injection in Netskope client - CVE-2019-12091
Published: September 27, 2019
Vulnerability identifier: #VU21396
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-12091
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Netskope client
Netskope client
Software vendor:
Netskope
Netskope
Description
The vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the connection handling function. A local authenticated user can execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
This vulnerability affects the following versions:
- Netskope client v57 before 57.2.0.219
- Netskope client v60 before 60.2.0.214
Remediation
Install updates from vendor's website.