CVE-2024-2389 Flowmon Unauthenticated Command Injection Vulnerability

2024-04-0212:22:45

CWE-78

ProgressSoftware

www.cve.org

flowmon

unauthenticated

command injection

vulnerability

operating system

management interface

arbitrary system commands

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.9%

JSON

In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Flowmon",
    "vendor": "Progress Software",
    "versions": [
      {
        "lessThan": "11.1.14",
        "status": "affected",
        "version": "11.X",
        "versionType": "semver"
      },
      {
        "lessThan": "12.3.5",
        "status": "affected",
        "version": "12.X",
        "versionType": "semver"
      }
    ]
  }
]