Aviatrix: Security Vulnerabilities
An issue was discovered in Aviatrix Controller before R6.0.2483. Multiple executable files, that implement API endpoints, do not require a valid session ID for access.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-11-17
An issue was discovered in Aviatrix Controller before R6.0.2483. Several APIs contain functions that allow arbitrary files to be uploaded to the web tree.
CVSS Score
9.8
EPSS Score
0.008
Published
2020-11-17
An issue was discovered in Aviatrix Controller before 5.4.1204. An API call on the web interface lacked a session token check to control access, leading to CSRF.
CVSS Score
8.8
EPSS Score
0.001
Published
2020-05-22
An issue was discovered in Aviatrix Controller before 5.4.1204. There is a Observable Response Discrepancy from the API, which makes it easier to perform user enumeration via brute force.
CVSS Score
5.3
EPSS Score
0.004
Published
2020-05-22
An issue was discovered in Aviatrix Controller before 5.4.1204. It contains credentials unused by the software.
CVSS Score
7.5
EPSS Score
0.006
Published
2020-05-22
An issue was discovered in Aviatrix Controller through 5.1. An attacker with any signed SAML assertion from the Identity Provider can establish a connection (even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix), aka XML Signature Wrapping.
CVSS Score
7.5
EPSS Score
0.001
Published
2020-05-22
An issue was discovered in Aviatrix Controller before 5.4.1066. A Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability for password resets.
CVSS Score
6.5
EPSS Score
0.002
Published
2020-05-22
An Elevation of Privilege issue was discovered in Aviatrix VPN Client before 2.10.7, because of an incomplete fix for CVE-2020-7224. This affects Linux, macOS, and Windows installations for certain OpenSSL parameters.
CVSS Score
9.8
EPSS Score
0.012
Published
2020-05-22
The Aviatrix OpenVPN client through 2.5.7 on Linux, macOS, and Windows is vulnerable when OpenSSL parameters are altered from the issued value set; the parameters could allow unauthorized third-party libraries to load.
CVSS Score
9.8
EPSS Score
0.006
Published
2020-04-16
An authentication flaw in the AVPNC_RP service in Aviatrix VPN Client through 2.2.10 allows an attacker to gain elevated privileges through arbitrary code execution on Windows, Linux, and macOS.
CVSS Score
7.8
EPSS Score
0.003
Published
2019-12-05