CVE-2019-5443
02.07.2019, 19:15
A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.
| Vendor | Product | Version |
|---|---|---|
| haxx | curl | 𝑥 ≤ 7.65.1 |
| oracle | enterprise_manager_ops_center | 12.3.3 |
| oracle | enterprise_manager_ops_center | 12.4.0 |
| oracle | http_server | 12.2.1.3.0 |
| oracle | http_server | 12.2.1.4.0 |
| oracle | mysql_server | 5.0.0 ≤ 𝑥 ≤ 5.7.27 |
| oracle | mysql_server | 8.0.0 ≤ 𝑥 ≤ 8.0.17 |
| oracle | oss_support_tools | 20.0 |
| netapp | oncommand_insight | - |
| netapp | oncommand_unified_manager | 7.3 ≤ |
| netapp | oncommand_unified_manager | 9.5 ≤ |
| netapp | oncommand_workflow_automation | - |
| netapp | snapcenter | - |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- CWE-427 - Uncontrolled Search Path ElementThe product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
References