VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 19, 2019· Updated Aug 4, 2024

CVE-2019-12491

CVE-2019-12491

Description

OnApp before 5.0.0-88, 5.5.0-93, and 6.0.0-196 allows an attacker to run arbitrary commands with root privileges on servers managed by OnApp for XEN/KVM hypervisors. To exploit the vulnerability an attacker has to have control of a single server on a given cloud (e.g. by renting one). From the source server, the attacker can craft any command and trigger the OnApp platform to execute that command with root privileges on a target server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OnApp cloud orchestration platform before patched versions allows attackers with control of a single server to execute arbitrary commands as root on any managed server via SSH agent forwarding.

Vulnerability

OnApp before versions 5.0.0-88, 5.5.0-93, and 6.0.0-196 for XEN/KVM hypervisors exposes a feature that triggers an SSH connection from the OnApp platform to a managed server with SSH agent forwarding enabled. An attacker who controls a single server (e.g., by renting one) can relay authentication to any other server within the same cloud, allowing arbitrary command execution with root privileges. [1][2]

Exploitation

An attacker needs control of a single server managed by OnApp. From that server, the attacker can craft any command and trigger the OnApp platform to execute that command with root privileges on a target server. The exploitation leverages SSH agent forwarding to relay authentication. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary commands with root privileges on any server managed by the same OnApp instance, leading to full compromise of the cloud environment. [1]

Mitigation

OnApp released fixed versions 5.0.0-88, 5.5.0-93, and 6.0.0-196. Users should upgrade to these versions or later. The advisory is available in the OnApp release notes. [2]

References
  1. Skylight Cyber | All Your Cloud Are Belong To Us (CVE-2019-12491)
  2. Release notes

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • OnApp/OnAppdescription
  • OnApp/OnAppllm-create
    Range: before 5.0.0-88, 5.5.0-93, and 6.0.0-196

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.