Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands.
Tenable Appliance Web UI /simpleupload.py tns_appliance_session_user Parameter Remote Command Execution (VulnDB 153135 / CVE-2017-8051)
ÔÇóTenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI.
ÔÇóThrough the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands.
ÔÇóCommand Injection (CWE-77)
ÔÇóThe software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Tenable has released version 4.5.0 of the Appliance that resolves this issue. Users are strongly encouraged to use the online updating functionality or download the new version to upgrade.
On 2017-04-18, security researcher "agix" published an exploit for the remote command execution flaw (VulnDB 153135). As such, customers are more strongly encouraged to upgrade immediately.
System Affected/Related OS and Version:
This issue affects