Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM62A292E97B485C3B75AC47FCD134FB3F08CB89E931113039BB13C9649654AF1D
HistoryJul 17, 2020 - 12:46 a.m.

Security Bulletin: Curl vulnerabilities CVE-2019-5443 impacts IBM Aspera High-Speed Transfer Server, IBM Aspera High-Speed Transfer Client, IBM Aspera Desktop Client 3.9.1 and earlier

2020-07-1700:46:14
www.ibm.com
7

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

JSON

Summary

Curl vulnerabilities CVE-2019-5443 impacts IBM Aspera High-Speed Transfer Server, IBM Aspera High-Speed Transfer Client, IBM Aspera Desktop Client 3.9.1 and earlier. The fix was delivered in version 3.9.3.

Vulnerability Details

CVEID:CVE-2019-5443
**DESCRIPTION:**A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl “engine”) on invocation. If that curl is invoked by a privileged user it can do anything it wants.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162844 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Aspera High-Speed Transfer Server 3.9.1 and earlier
IBM Aspera High-Speed Transfer Endpoint 3.9.1 and earlier
IBM Aspera Desktop Client 3.9.1 and earlier

Remediation/Fixes

The fix is delivered in version 3.9.6 of

IBM Aspera High-Speed Transfer Server,

IBM Aspera High-Speed Transfer Client,

IBM Aspera Desktop Client

Workarounds and Mitigations

None

CPENameOperatorVersion
aspera high-speed synceq3.9.3

Related

cve 1
hackerone 3
prion 1
redhatcve 1
ibm 1
osv 1
symantec 1
debiancve 1
ubuntucve 1
nessus 4
openvas 2
cloudfoundry 1
freebsd 1
photon 2
oracle 3
ics 1
cve
cve
CVE-2019-5443
2019-07-02 19:15:00
hackerone
hackerone
curl: Windows Privilege Escalation: Malicious OpenSSL Engine
2019-06-12 02:21:14
curl: curl on Windows can be forced to execute code via OpenSSL environment variables
2019-10-14 23:02:51
Internet Bug Bounty: Windows builds with insecure path defaults (CVE-2019-1552)
2019-08-28 00:18:59
prion
prion
Code injection
2019-07-02 19:15:00
redhatcve
redhatcve
CVE-2019-5443
2019-11-13 16:37:26
ibm
ibm
Security Bulletin: cURL vulnerability CVE-2019-5443 impacts IBM Aspera Streaming/IBM Aspera Streaming for Video version 3.9.6.1 and earlier
2020-12-08 18:23:44
osv
osv
CVE-2019-5443
2019-07-02 19:15:10
symantec
symantec
curl CVE-2019-5443 Local Code Injection Vulnerability
2019-06-24 00:00:00
debiancve
debiancve
CVE-2019-5443
2019-07-02 19:15:00
ubuntucve
ubuntucve
CVE-2019-5443
2019-07-02 00:00:00
nessus
nessus
Oracle Enterprise Manager Ops Center (Oct 2019 CPU)
2020-01-17 00:00:00
MySQL 5.7.x < 5.7.28 Multiple Vulnerabilities (Oct 2019 CPU)
2019-10-18 00:00:00
MySQL 8.0.x < 8.0.18 Multiple Vulnerabilities (Oct 2019 CPU)
2019-10-18 00:00:00
openvas
openvas
Oracle MySQL Server 5.7 <= 5.7.27 / 8.0 <= 8.0.17 Security Update (cpuoct2019) - Windows
2019-10-23 00:00:00
Oracle MySQL Server 5.7 <= 5.7.27 / 8.0 <= 8.0.17 Security Update (cpuoct2019) - Linux
2019-10-23 00:00:00
cloudfoundry
cloudfoundry
MySQL Security Updates - Oct 2019 | Cloud Foundry
2020-01-27 00:00:00
freebsd
freebsd
MySQL -- Multiple vulerabilities
2019-10-15 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2023-4.0-0420
2023-07-05 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0603
2023-06-26 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2019
2020-01-22 00:00:00
Oracle Critical Patch Update Advisory - October 2020
2020-10-20 00:00:00
Oracle Critical Patch Update Advisory - April 2020
2020-04-14 00:00:00
ics
ics
Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
2023-12-14 12:00:00

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

JSON
Related for 62A292E97B485C3B75AC47FCD134FB3F08CB89E931113039BB13C9649654AF1D
cve1hackerone3prion1redhatcve1ibm1osv1symantec1debiancve1ubuntucve1nessus4openvas2cloudfoundry1freebsd1photon2oracle3ics1