CVE-2019-18780

high-risk

Published 2019-11-05

An arbitrary command injection vulnerability in the Cluster Server component of Veritas InfoScale allows an unauthenticated remote attacker to execute arbitrary commands as root or administrator. These Veritas products are affected: Access 7.4.2 and earlier, Access Appliance 7.4.2 and earlier, Flex Appliance 1.2 and earlier, InfoScale 7.3.1 and earlier, InfoScale between 7.4.0 and 7.4.1, Veritas Cluster Server (VCS) 6.2.1 and earlier on Linux/UNIX, Veritas Cluster Server (VCS) 6.1 and earlier on Windows, Storage Foundation HA (SFHA) 6.2.1 and earlier on Linux/UNIX, and Storage Foundation HA (SFHA) 6.1 and earlier on Windows.

Do I need to act?

6.4% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (6)

Access

Access Appliance

Flex Appliance

Infoscale

Cluster Server

Storage Foundation Ha

Affected Vendors

Veritas

References (8)

Patch https://www.veritas.com/content/support/en_US/security/VTS19-003

Patch https://www.veritas.com/content/support/en_US/security/VTS19-004

Patch https://www.veritas.com/content/support/en_US/security/VTS19-005

Patch https://www.veritas.com/content/support/en_US/security/VTS19-006

Patch https://www.veritas.com/content/support/en_US/security/VTS19-003

Patch https://www.veritas.com/content/support/en_US/security/VTS19-004

Patch https://www.veritas.com/content/support/en_US/security/VTS19-005

Patch https://www.veritas.com/content/support/en_US/security/VTS19-006

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 9/34 · Low

Exposure 13/34 · Low