CVE-2024-50603
Published: 08 January 2025
Description
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
Security Summary
CVE-2024-50603 is a command injection vulnerability (CWE-78) discovered in Aviatrix Controller versions before 7.1.4191 and 7.2.x before 7.2.4996. The issue stems from improper neutralization of special elements used in an OS command, enabling attackers to inject shell metacharacters via the /v1/api endpoint. Specifically, the cloud_type parameter in list_flightpath_destination_instances or the src_cloud_type parameter in flightpath_connection_test can be abused to execute arbitrary code.
An unauthenticated attacker can exploit this vulnerability remotely with low attack complexity, no user interaction, and no privileges required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, base score 10.0). Successful exploitation grants arbitrary code execution on the Aviatrix Controller, potentially compromising the entire system with high impacts to confidentiality, integrity, and availability, along with a changed scope.
Aviatrix advisories recommend upgrading to version 7.1.4191 or 7.2.4996 to mitigate the vulnerability. The issue is documented in Aviatrix PSIRT release notices and other security resources, with the vulnerability also listed in the CISA Known Exploited Vulnerabilities Catalog.
Details
- CWE(s)
- KEV Date Added
- 16 January 2025