CVE-2020-8233 — Command Injection in Edgeswitch Firmware

CWE-77 — Command Injection CWE-78 — OS Command Injection3 documents3 sources

Severity

8.8HIGHNVD

EPSS

14.9%

top 5.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

UI Edgeswitch Firmware Opensuse Backports SLE Opensuse Leap

Timeline

PublishedAug 17

Latest updateMay 24

Description

A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDui/edgeswitch_firmware< 1.9.0

▶NVDopensuse/leap15.1, 15.2+1

▶NVDopensuse/backports_sle15.0

Patches

Patch: community.ui.com ↗Patch: community.ui.com ↗

🔴Vulnerability Details

GHSA

GHSA-wg23-cr77-5r75: A command injection vulnerability exists in EdgeSwitch firmware <v1↗2022-05-24

▶

CVEList

CVE-2020-8233: A command injection vulnerability exists in EdgeSwitch firmware <v1↗2020-08-17

▶