CVE-2020-8949

Name of the Vulnerable Software and Affected Versions Gocloud S2A WL version 4.2.7.16471 Gocloud S2A versions 4.2.7.17278, 4.3.0.15815, 4.3.0.17193 Gocloud S3A K2P MTK version 4.2.7.16528 Gocloud S3A version 4.3.0.16572 Gocloud ISP3000 version 4.3.0.17190

Description The issue allows remote attackers to execute arbitrary OS commands via shell metacharacters in a ping operation. This can be demonstrated by the "cgi-bin/webui/admin/tools/app ping/diag ping/" substring.

Recommendations For Gocloud S2A WL version 4.2.7.16471, consider disabling the ping operation in the webui/admin/tools/app ping/diag ping/ endpoint until a patch is available. For Gocloud S2A versions 4.2.7.17278, 4.3.0.15815, 4.3.0.17193, restrict access to the vulnerable diag ping function to minimize the risk of exploitation. For Gocloud S3A K2P MTK version 4.2.7.16528, avoid using the app ping module in the affected API endpoint until the issue is resolved. For Gocloud S3A version 4.3.0.16572, consider temporarily disabling the webui/admin/tools module to prevent exploitation. For Gocloud ISP3000 version 4.3.0.17190, restrict access to the cgi-bin/webui/admin/tools/app ping/diag ping/ endpoint to minimize the risk of exploitation.