MidnightBSD

Advisories for gigamon

CVE-2020-12251 LOW

An issue was discovered in Gigamon GigaVUE 5.5.01.11. The upload functionality allows an authenticated user to change the filename value (in the POST method) from the original filename to achieve directory traversal via a ../ sequence and, for example, obtain a complete directory listing of the machine.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.2 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N 0.7 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-22,

Products Affected

Vendor Product Version
gigamon gigavue *
CVE-2020-12252 MEDIUM

An issue was discovered in Gigamon GigaVUE 5.5.01.11. The upload functionality allows an arbitrary file upload for an authenticated user. If an executable file is uploaded into the www-root directory, then it could yield remote code execution via the filename parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.2 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H 0.7 5.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
gigamon gigavue *
CVE-2020-23249 MEDIUM

GigaVUE-OS (GVOS) 5.4 - 5.9 stores a Redis database password in plaintext.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-312,

Products Affected

Vendor Product Version
gigamon gigavue-os *
CVE-2020-23250 LOW

GigaVUE-OS (GVOS) 5.4 - 5.9 uses a weak algorithm for a hash stored in internal database.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.3 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 0.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-327,

Products Affected

Vendor Product Version
gigamon gigavue-os *
CVE-2023-0746

The help page in GigaVUE-FM, when using GigaVUE-OS software version 5.0 202, does not require an authenticated user. An attacker could enforce a user into inserting malicious JavaScript code into the URI, that could lead to a Reflected Cross site Scripting.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@incibe.es 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L 2.8 3.4
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
gigamon gigavue-os 5.0.202