CVE-2019-5443

A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:oss_support_tools:20.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-07-02 19:15

Updated : 2024-02-28 17:08


NVD link : CVE-2019-5443

Mitre link : CVE-2019-5443

CVE.ORG link : CVE-2019-5443


JSON object : View

Products Affected

netapp

  • oncommand_workflow_automation
  • oncommand_unified_manager
  • oncommand_insight
  • snapcenter

oracle

  • enterprise_manager_ops_center
  • mysql_server
  • http_server
  • oss_support_tools

haxx

  • curl

microsoft

  • windows
CWE
CWE-427

Uncontrolled Search Path Element

CWE-94

Improper Control of Generation of Code ('Code Injection')