CVE-2020-4002
https://notcve.org/view.php?id=CVE-2020-4002
The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 handles system parameters in an insecure way. An authenticated SD-WAN Orchestrator user with high privileges may be able to execute arbitrary code on the underlying operating system. SD-WAN Orchestrator versiones 3.3.2 anteriores a 3.3.2 P3, versiones 3.4.x anteriores a 3.4.4 y versiones 4.0.x anteriores a 4.0.1, maneja unos parámetros del sistema de una manera no segura. Un usuario de SD-WAN Orchestrator autenticado con muchos privilegios puede ser capaz de ejecutar código arbitrario en el sistema operativo subyacente • http://www.vmware.com/security/advisories/VMSA-2020-0025.html •
CVE-2020-4001
https://notcve.org/view.php?id=CVE-2020-4001
The SD-WAN Orchestrator 3.3.2, 3.4.x, and 4.0.x has default passwords allowing for a Pass-the-Hash Attack. SD-WAN Orchestrator ships with default passwords for predefined accounts which may lead to to a Pass-the-Hash attack. SD-WAN Orchestrator versiones 3.3.2, 3.4.x y 4.0.x, presenta contraseñas predeterminadas permitiendo un ataque de tipo Pass-the-Hash. SD-WAN Orchestrator se entrega con contraseñas predeterminadas para cuentas predefinidas que puede conllevar a un ataque de tipo Pass-the-Hash • http://www.vmware.com/security/advisories/VMSA-2020-0025.html • CWE-1188: Initialization of a Resource with an Insecure Default •