Aviatrix Controller <=7.1.4191 Cmd Inject via /v1/api (CVE-2024-50603)
CVE-2024-50603 Published on January 8, 2025
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
Known Exploited Vulnerability
This Aviatrix Controllers OS Command Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
The following remediation steps are recommended / required by February 6, 2025: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2024-50603 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2024-50603
Want to know whenever a new CVE is published for Aviatrix Controller? stack.watch will email you.
Affected Versions
Aviatrix Controller:- Before 7.1.4191 is affected.
- Version 7.2.0 and below 7.2.4996 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.