CVE-2019-12120
published 2020-03-18CVE-2019-12120: An issue was discovered in ONAP VNFSDK through Dublin. By accessing port 8000 of demo-vnfsdk-vnfsdk, an unauthenticated attacker (who already has access to…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.07%
79.0th percentile
An issue was discovered in ONAP VNFSDK through Dublin. By accessing port 8000 of demo-vnfsdk-vnfsdk, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code inside that pod. All ONAP Operations Manager (OOM) setups are affected.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| f5 | big-ip_aam | — | — |
| f5 | big-ip_afm | — | — |
| f5 | big-ip_analytics | — | — |
| f5 | big-ip_apm | — | — |
| f5 | big-ip_asm | — | — |
| f5 | big-ip_dns | — | — |
| f5 | big-ip_edge_gateway | — | — |
| f5 | big-ip_fps | — | — |
| f5 | big-ip_gtm | — | — |
| f5 | big-ip_link_controller | — | — |
| f5 | big-ip_ltm | — | — |
| f5 | big-ip_pem | — | — |
| f5 | big-ip_webaccelerator | — | — |
| onap | open_network_automation_platform | >= 3.0.0 < 4.0.0 | 4.0.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3mxf-gmrf-p76m: An issue was discovered in ONAP VNFSDK through Dublin
ghsa_unreviewed·2022-05-24
CVE-2019-12120 [HIGH] CWE-94 GHSA-3mxf-gmrf-p76m: An issue was discovered in ONAP VNFSDK through Dublin
An issue was discovered in ONAP VNFSDK through Dublin. By accessing port 8000 of demo-vnfsdk-vnfsdk, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code inside that pod. All ONAP Operations Manager (OOM) setups are affected.
F5
CVE-2019-6644: Similar to the issue identified in CVE-2018-12120, on versions 14
vendor_f5·2019-09-04·CVSS 9.4
CVE-2019-6644 [HIGH] CVE-2019-6644: Similar to the issue identified in CVE-2018-12120, on versions 14
CVE-2019-6644: Similar to the issue identified in CVE-2018-12120, on versions 14
Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the port is accessible.
Affected Products: BIG-IP AAM, BIG-IP AFM, BIG-IP APM, BIG-IP ASM, BIG-IP Analytics, BIG-IP DNS, BIG-IP Edge Gateway, BIG-IP FPS, BIG-IP GTM, BIG-IP LTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP WebAccelerator
Affected Versions: 12.1.3 - 12.1.4; 13.0.0 - 13.1.2; 14.0.0; 14.1.0
F5 Advisory Articles: K75532331
F5 References: https://support.f5.com/csp/article/K75532331
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-03-18
Published