CVE-2020-10250
published 2020-03-09CVE-2020-10250: BWA DiREX-Pro 1.2181 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the PKG parameter to uninstall.php3.
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.63%
83.6th percentile
BWA DiREX-Pro 1.2181 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the PKG parameter to uninstall.php3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| k8s.io | kubernetes | >= 1.15.0 < 1.15.10 | 1.15.10 |
| k8s.io | kubernetes | >= 1.16.0 < 1.16.6 | 1.16.6 |
| k8s.io | kubernetes | >= 1.17.0 < 1.17.2 | 1.17.2 |
| meinbwa | direx-pro_firmware | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fv67-43fc-pmc9: BWA DiREX-Pro 1
ghsa_unreviewed·2022-05-24
CVE-2020-10250 [HIGH] GHSA-fv67-43fc-pmc9: BWA DiREX-Pro 1
BWA DiREX-Pro 1.2181 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the PKG parameter to uninstall.php3.
GHSA
Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes
ghsa·2022-02-15
CVE-2020-8551 [MEDIUM] CWE-770 Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes
Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
Red Hat
kubernetes: crafted requests to kubelet API allow for memory exhaustion
vendor_redhat·2020-03-23·CVSS 4.3
CVE-2020-8551 [MEDIUM] CWE-400 kubernetes: crafted requests to kubelet API allow for memory exhaustion
kubernetes: crafted requests to kubelet API allow for memory exhaustion
The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port 10255, and the authenticated HTTPS API typically served on port 10250.
A denial of service flaw was found in Kubernetes' Kubelet API. A remote attacker can exploit this flaw by sending repeated, crafted HTTP requests to exhaust available memory and cause a crash.
Statement: By default, OpenShift Container Platform does not allow unauthenticated access to the Kubelet API. OpenShift Container Platform versions before 4.2 are not affected by this vulnerability as they are based on ear
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-03-09
Published