CVE-2019-11994: Path Traversal
First published: Fri Jan 03 2020(Updated: )
A security vulnerability has been identified in HPE SimpliVity 380 Gen 9, HPE SimpliVity 380 Gen 10, HPE SimpliVity 380 Gen 10 G, HPE SimpliVity 2600 Gen 10, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for Lenovo and SimpliVity OmniStack for Dell nodes. An API is used to execute a command manifest file during upgrade does not correctly prevent directory traversal and so can be used to execute manifest files in arbitrary locations on the node. The API does not require user authentication and is accessible over the management network, resulting in the potential for unauthenticated remote execution of manifest files. For all customers running HPE OmniStack version 3.7.9 and earlier. HPE recommends upgrading the OmniStack software to version 3.7.10 or later, which contains a permanent resolution. Customers and partners who can upgrade to 3.7.10 should upgrade at the earliest convenience. For all customers and partners unable to upgrade their environments to the recommended version 3.7.10, HPE has created a Temporary Workaround https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=mmr_sf-EN_US000061901&withFrame for you to implement. All customer should upgrade to the recommended 3.7.10 or later version at the earliest convenience.
Credit: security-alert@hpe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Hp Simplivity 380 Gen9 Firmware | >=3.6.2<=3.7.9 | |
| Hp Simplivity 380 Gen9 | ||
| Hp Simplivity 380 Gen10 G Firmware | >=3.7.8<=3.7.9 | |
| Hp Simplivity 380 Gen10 G | ||
| Hp Simplivity 380 Gen10 Firmware | >=3.7.1<=3.7.9 | |
| Hp Simplivity 380 Gen10 | ||
| Hp Simplivity 2600 Gen10 Firmware | >=3.7.5<=3.7.9 | |
| Hp Simplivity 2600 Gen10 | ||
| Hp Simplivity Omnicube Firmware | >=3.5.2<=3.7.9 | |
| Hp Simplivity Omnicube | ||
| Hp Simplivity Omnistack For Dell Firmware | >=3.5.2<=3.7.9 | |
| Hp Simplivity Omnistack For Dell | ||
| Hp Simplivity Omnistack For Cisco Firmware | >=3.5.2<=3.7.9 | |
| Hp Simplivity Omnistack For Cisco | ||
| Hp Simplivity Omnistack For Lenovo Firmware | >=3.5.2<=3.7.9 | |
| Hp Simplivity Omnistack For Lenovo |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this security vulnerability?
The vulnerability ID for this security vulnerability is CVE-2019-11994.
Which software versions are affected by this vulnerability?
The affected software versions include HPE SimpliVity 380 Gen 9 Firmware version 3.6.2 to 3.7.9, HPE SimpliVity 380 Gen 10 Firmware version 3.7.1 to 3.7.9, HPE SimpliVity 380 Gen 10 G Firmware version 3.7.8 to 3.7.9, HPE SimpliVity 2600 Gen 10 Firmware version 3.7.5 to 3.7.9, SimpliVity OmniCube Firmware version 3.5.2 to 3.7.9, SimpliVity OmniStack for Cisco Firmware version 3.5.2 to 3.7.9, SimpliVity OmniStack for Lenovo Firmware version 3.5.2 to 3.7.9, and SimpliVity OmniStack for Dell Firmware version 3.5.2 to 3.7.9.
What is the severity of CVE-2019-11994?
The severity of CVE-2019-11994 is critical.
What is the Common Vulnerabilities and Exposures (CVE) identifier for this vulnerability?
The Common Vulnerabilities and Exposures (CVE) identifier for this vulnerability is CVE-2019-11994.
Where can I find more information about this vulnerability?
You can find more information about this vulnerability [here](https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03956en_us).
- collector/nvd-index
- agent/severity
- agent/references
- agent/author
- agent/event
- agent/weakness
- agent/type
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/hp
- canonical/hp simplivity 380 gen9 firmware
- version/hp simplivity 380 gen9 firmware/3.6.2
- version/hp simplivity 380 gen9 firmware/3.7.9
- canonical/hp simplivity 380 gen9
- canonical/hp simplivity 380 gen10 g firmware
- version/hp simplivity 380 gen10 g firmware/3.7.8
- version/hp simplivity 380 gen10 g firmware/3.7.9
- canonical/hp simplivity 380 gen10 g
- canonical/hp simplivity 380 gen10 firmware
- version/hp simplivity 380 gen10 firmware/3.7.1
- version/hp simplivity 380 gen10 firmware/3.7.9
- canonical/hp simplivity 380 gen10
- canonical/hp simplivity 2600 gen10 firmware
- version/hp simplivity 2600 gen10 firmware/3.7.5
- version/hp simplivity 2600 gen10 firmware/3.7.9
- canonical/hp simplivity 2600 gen10
- canonical/hp simplivity omnicube firmware
- version/hp simplivity omnicube firmware/3.5.2
- version/hp simplivity omnicube firmware/3.7.9
- canonical/hp simplivity omnicube
- canonical/hp simplivity omnistack for dell firmware
- version/hp simplivity omnistack for dell firmware/3.5.2
- version/hp simplivity omnistack for dell firmware/3.7.9
- canonical/hp simplivity omnistack for dell
- canonical/hp simplivity omnistack for cisco firmware
- version/hp simplivity omnistack for cisco firmware/3.5.2
- version/hp simplivity omnistack for cisco firmware/3.7.9
- canonical/hp simplivity omnistack for cisco
- canonical/hp simplivity omnistack for lenovo firmware
- version/hp simplivity omnistack for lenovo firmware/3.5.2
- version/hp simplivity omnistack for lenovo firmware/3.7.9
- canonical/hp simplivity omnistack for lenovo