9.8
CVE-2022-24989
- EPSS 31.88%
- Veröffentlicht 20.08.2023 18:15:09
- Zuletzt bearbeitet 21.11.2024 06:51:31
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginTerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Terra-master ≫ Terramaster Operating System Version < 4.2.31
Terra-master ≫ F2-210 Version-
Terra-master ≫ F2-221 Version-
Terra-master ≫ F2-223 Version-
Terra-master ≫ F2-422 Version-
Terra-master ≫ F2-423 Version-
Terra-master ≫ F4-421 Version-
Terra-master ≫ F4-422 Version-
Terra-master ≫ F4-423 Version-
Terra-master ≫ F5-221 Version-
Terra-master ≫ F5-422 Version-
Terra-master ≫ T12-423 Version-
Terra-master ≫ T12-450 Version-
Terra-master ≫ T6-423 Version-
Terra-master ≫ T9-423 Version-
Terra-master ≫ T9-450 Version-
Terra-master ≫ U12-322-9100 Version-
Terra-master ≫ U12-423 Version-
Terra-master ≫ U12-722-2224 Version-
Terra-master ≫ U16-322-9100 Version-
Terra-master ≫ U16-722-2224 Version-
Terra-master ≫ U24-722-2224 Version-
Terra-master ≫ U4-111 Version-
Terra-master ≫ U4-211 Version-
Terra-master ≫ U4-423 Version-
Terra-master ≫ U8-111 Version-
Terra-master ≫ U8-322-9100 Version-
Terra-master ≫ U8-423 Version-
Terra-master ≫ U8-522-9400 Version-
Terra-master ≫ U8-722-2224 Version-
Terra-master ≫ F2-221 Version-
Terra-master ≫ F2-223 Version-
Terra-master ≫ F2-422 Version-
Terra-master ≫ F2-423 Version-
Terra-master ≫ F4-421 Version-
Terra-master ≫ F4-422 Version-
Terra-master ≫ F4-423 Version-
Terra-master ≫ F5-221 Version-
Terra-master ≫ F5-422 Version-
Terra-master ≫ T12-423 Version-
Terra-master ≫ T12-450 Version-
Terra-master ≫ T6-423 Version-
Terra-master ≫ T9-423 Version-
Terra-master ≫ T9-450 Version-
Terra-master ≫ U12-322-9100 Version-
Terra-master ≫ U12-423 Version-
Terra-master ≫ U12-722-2224 Version-
Terra-master ≫ U16-322-9100 Version-
Terra-master ≫ U16-722-2224 Version-
Terra-master ≫ U24-722-2224 Version-
Terra-master ≫ U4-111 Version-
Terra-master ≫ U4-211 Version-
Terra-master ≫ U4-423 Version-
Terra-master ≫ U8-111 Version-
Terra-master ≫ U8-322-9100 Version-
Terra-master ≫ U8-423 Version-
Terra-master ≫ U8-522-9400 Version-
Terra-master ≫ U8-722-2224 Version-
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 31.88% | 0.981 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
https://forum.terra-master.com/en/viewforum.php?f=28
https://github.com/0xf4n9x/CVE-2022-24990
https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990
https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation
https://packetstormsecurity.com/files/172904