Aviatrix: >> Controller Security Vulnerabilities
An issue was discovered in Aviatrix Controller before 5.4.1204. There is a Observable Response Discrepancy from the API, which makes it easier to perform user enumeration via brute force.
CVSS Score
5.3
EPSS Score
0.004
Published
2020-05-22
An issue was discovered in Aviatrix Controller before 5.4.1204. It contains credentials unused by the software.
CVSS Score
7.5
EPSS Score
0.006
Published
2020-05-22
An issue was discovered in Aviatrix Controller through 5.1. An attacker with any signed SAML assertion from the Identity Provider can establish a connection (even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix), aka XML Signature Wrapping.
CVSS Score
7.5
EPSS Score
0.001
Published
2020-05-22
An issue was discovered in Aviatrix Controller before 5.4.1066. A Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability for password resets.
CVSS Score
6.5
EPSS Score
0.002
Published
2020-05-22
An Elevation of Privilege issue was discovered in Aviatrix VPN Client before 2.10.7, because of an incomplete fix for CVE-2020-7224. This affects Linux, macOS, and Windows installations for certain OpenSSL parameters.
CVSS Score
9.8
EPSS Score
0.012
Published
2020-05-22
Page 2