The vulnerability is addressed in the 2018.1, 2018.2 versions of CloudVision Portal

December 20, 2019

Overview :

In CloudVision Portal all releases in the 2018.1 and 2018.2 Code train allows users with read-only permissions to bypass permissions for restricted functionality via CVP API calls through the Configlet Builder modules. This vulnerability can potentially enable authenticated users with read-only access to take actions that are otherwise restricted in the GUI.

Affected Product(s) :

All releases in the 2018.1 Code train
All releases in the 2018.2 Code train

Vulnerability Details :

CVE ID :	CVE-2019-15006
	CVSSv3 Base Score: 5.6 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N)

Solution :

The vulnerability is addressed in the 2019.1.0 and later versions of CloudVision Portal. We recommend upgrading to a remediated release to safeguard against this vulnerability.

Additionally, for the 2018.2 release train, a hotfix is available in the form of a python script that updates permissions for the affected APIs. For the 2018.1 code train, the suggested course of action is to upgrade to one of the remediated release versions (2019.1.0 and above).

Patch file download URL: SecAdvisory0044Hotfix.pyc

CloudVision Portal CVE-2019-15006

The vulnerability is addressed in the 2018.1, 2018.2 versions of CloudVision Portal

Getting Started

Use Cases

WAF Automation

Contact Us