Home / Vulnerabilities / CVE-2024-50603
CRITICAL SEVERITY
CVE-2024-50603 Aviatrix · Controllers

Aviatrix Controllers OS Command Injection Vulnerability

Technical Severity

CVSS v3.1 Metrics

CRITICAL
10 / 10
Minimal Risk Critical
Vector Specification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitation Likelihood

EPSS Prediction

94.35 %
Predictive Probability
Percentile Rank
100.0 th

Documented as more likely to be exploited than 100.0% of known CVEs.

Detection Date

Jan 16, 2025

Remediation Due

Feb 06, 2025

CISA Catalog Active

Threat Analysis

Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.

Remediation Directive

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

External Intelligence

https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true

https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true
NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2024-50603