CVE-2019-3595

Improper Neutralization of Special Elements used in a Command ('Command Injection') in ePO extension in McAfee Data Loss Prevention (DLP) 11.x prior to 11.3.0 allows Authenticated Adminstrator to execute arbitrary code with their local machine privileges via a specially crafted DLP policy, which is exported and opened on the their machine. In our checks, the user must explicitly allow the code to execute.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
LOCAL
LOW
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
trellixCNA
2 LOW
LOCAL
LOW
HIGH
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
mcafeedata_loss_prevention_endpoint
11.0 ≤
𝑥
< 11.1.200
mcafeedata_loss_prevention_endpoint
11.2.000 ≤
𝑥
< 11.3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/109377
https://kc.mcafee.com/corporate/index?page=content&id=SB10289
http://www.securityfocus.com/bid/109377
https://kc.mcafee.com/corporate/index?page=content&id=SB10289