Controller Security Vulnerabilities and Issues — Controller CVE List

Lucene search

AviatrixController

12 matches found

CVE•added 2020/05/22 9:15 p.m.•151 views

CVE-2020-13417

An Elevation of Privilege issue was discovered in Aviatrix VPN Client before 2.10.7, because of an incomplete fix for CVE-2020-7224. This affects Linux, macOS, and Windows installations for certain OpenSSL parameters.

9.8CVSS9.4AI score0.01174EPSS

CVE•added 2020/05/22 9:15 p.m.•120 views

CVE-2020-13414

An issue was discovered in Aviatrix Controller before 5.4.1204. It contains credentials unused by the software.

7.5CVSS7.5AI score0.00557EPSS

CVE•added 2020/05/22 9:15 p.m.•117 views

CVE-2020-13415

An issue was discovered in Aviatrix Controller through 5.1. An attacker with any signed SAML assertion from the Identity Provider can establish a connection (even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix), aka XML Signature Wrapping.

7.5CVSS7.4AI score0.00132EPSS

CVE•added 2020/05/22 9:15 p.m.•112 views

CVE-2020-13413

An issue was discovered in Aviatrix Controller before 5.4.1204. There is a Observable Response Discrepancy from the API, which makes it easier to perform user enumeration via brute force.

5.3CVSS5.2AI score0.00376EPSS

CVE•added 2020/05/22 9:15 p.m.•110 views

CVE-2020-13416

An issue was discovered in Aviatrix Controller before 5.4.1066. A Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability for password resets.

6.5CVSS6.6AI score0.0019EPSS

CVE•added 2020/05/22 9:15 p.m.•109 views

CVE-2020-13412

An issue was discovered in Aviatrix Controller before 5.4.1204. An API call on the web interface lacked a session token check to control access, leading to CSRF.

8.8CVSS8.5AI score0.0013EPSS

CVE•added 2020/11/17 9:15 p.m.•53 views

CVE-2020-26552

An issue was discovered in Aviatrix Controller before R6.0.2483. Multiple executable files, that implement API endpoints, do not require a valid session ID for access.

7.5CVSS7.5AI score0.00282EPSS

CVE•added 2020/11/17 9:15 p.m.•47 views

CVE-2020-26549

An issue was discovered in Aviatrix Controller before R5.4.1290. The htaccess protection mechanism to prevent requests to directories can be bypassed for file downloading.

7.5CVSS7.5AI score0.00614EPSS

CVE•added 2020/11/17 9:15 p.m.•36 views

CVE-2020-26551

An issue was discovered in Aviatrix Controller before R5.3.1151. Encrypted key values are stored in a readable file.

7.5CVSS7.4AI score0.00156EPSS

CVE•added 2020/11/17 9:15 p.m.•36 views

CVE-2020-26553

An issue was discovered in Aviatrix Controller before R6.0.2483. Several APIs contain functions that allow arbitrary files to be uploaded to the web tree.

9.8CVSS9.3AI score0.00841EPSS

CVE•added 2020/11/17 9:15 p.m.•35 views

CVE-2020-26548

An issue was discovered in Aviatrix Controller before R5.4.1290. There is an insecure sudo rule: a user exists that can execute all commands as any user on the system.

9CVSS8.8AI score0.00427EPSS

CVE•added 2020/11/17 9:15 p.m.•32 views

CVE-2020-26550

An issue was discovered in Aviatrix Controller before R5.3.1151. An encrypted file containing credentials to unrelated systems is protected by a three-character key.

7.5CVSS7.4AI score0.00245EPSS