OS Command Injection in Netskope client - CVE-2019-12091
Published: September 27, 2019
Vulnerability identifier: #VU21396
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-12091
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Netskope
Affected software:
Netskope client
Netskope client
Detailed vulnerability description
The vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the connection handling function. A local authenticated user can execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
This vulnerability affects the following versions:
- Netskope client v57 before 57.2.0.219
- Netskope client v60 before 60.2.0.214
How to mitigate CVE-2019-12091
Install updates from vendor's website.