PT-2019-12446 · Oneshield · Oneshield Policy

Ghost

Published

2019-05-08

Updated

2020-08-24

CVE-2019-11642

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OneShield Policy (Dragon Core) versions prior to 5.1.10

Description A log poisoning issue has been found, allowing authenticated remote adversaries to poison log files by entering malicious payloads in either headers or form elements, which are then executed via a client-side debugging console. This issue is dependent on the debugging console and Java Bean being accessible to the deployed application.

Recommendations For versions prior to 5.1.10, update to version 5.1.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the debugging console and Java Bean to minimize the risk of exploitation.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2019-11642

Affected Products

Oneshield Policy

PT-2019-12446 · Oneshield · Oneshield Policy

CVE-2019-11642

Weakness Enumeration

Related Identifiers

Affected Products

References · 4