CVE-2019-12491 — MEDIUM (6.6)

Vulnerability Description

OnApp before 5.0.0-88, 5.5.0-93, and 6.0.0-196 allows an attacker to run arbitrary commands with root privileges on servers managed by OnApp for XEN/KVM hypervisors. To exploit the vulnerability an attacker has to have control of a single server on a given cloud (e.g. by renting one). From the source server, the attacker can craft any command and trigger the OnApp platform to execute that command with root privileges on a target server.

CVSS Score

6.6

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Onapp	Onapp	5.0.0

References

https://docs.onapp.com/rn/general-security-advisoryMitigationPatchRelease Notes
https://skylightcyber.com/2019/06/07/all-your-cloud-are-belong-to-us-cve-2019-12Third Party Advisory
https://docs.onapp.com/rn/general-security-advisoryMitigationPatchRelease Notes
https://skylightcyber.com/2019/06/07/all-your-cloud-are-belong-to-us-cve-2019-12Third Party Advisory

FAQ

What is CVE-2019-12491?

CVE-2019-12491 is a vulnerability with a CVSS score of 6.6 (MEDIUM). OnApp before 5.0.0-88, 5.5.0-93, and 6.0.0-196 allows an attacker to run arbitrary commands with root privileges on servers managed by OnApp for XEN/KVM hypervisors. To exploit the vulnerability an at...

How severe is CVE-2019-12491?

CVE-2019-12491 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-12491?

Check the references section above for vendor advisories and patch information. Affected products include: Onapp Onapp.