Command Injection Vulnerability in HP ThinPro VPN Software
CVE-2019-18909

8HIGH

Key Information:

Vendor
HP
Status
Thinpro Linux
Vendor
CVE Published:
22 November 2019

Summary

The VPN software utilized in HP ThinPro is susceptible to a command injection vulnerability due to improper handling of user-supplied input. This flaw can be exploited by attackers to inject malicious commands that are executed with root-level privileges, potentially compromising the entire system. Users of HP ThinPro, particularly in environments where VPN access is critical, should evaluate their exposure to this risk and consider implementing mitigations or upgrades as recommended by HP.

Affected Version(s)

ThinPro Linux 6.2

ThinPro Linux 6.2.1

ThinPro Linux 7.0

References

https://support.hp.com/us-en/document/c06509350
x_refsource_CONFIRM
http://seclists.org/fulldisclosure/2020/Mar/39
mailing-listx_refsource_FULLDISC
http://packetstormsecurity.com/files/156907/HP-ThinPro-6....
x_refsource_MISC

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.