9.8
CVE-2022-28171
- EPSS 84.11%
- Veröffentlicht 27.06.2022 18:15:09
- Zuletzt bearbeitet 21.11.2024 06:56:53
- Quelle hsrc@hikvision.com
- CVE-Watchlists
- Unerledigt
LoginThe web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Hikvision ≫ Ds-a71024 Firmware Version <= 2.3.8-6
Hikvision ≫ Ds-a71048 Firmware Version <= 2.3.8-6
Hikvision ≫ Ds-a71072r Firmware Version <= 2.3.8-6
Hikvision ≫ Ds-a80624s Firmware Version <= 2.3.8-6
Hikvision ≫ Ds-a81016s Firmware Version <= 2.3.8-6
Hikvision ≫ Ds-a72024 Firmware Version <= 2.3.8-6
Hikvision ≫ Ds-a72072r Firmware Version <= 2.3.8-6
Hikvision ≫ Ds-a80316s Firmware Version <= 2.3.8-6
Hikvision ≫ Ds-a82024d Firmware Version <= 2.3.8-6
Hikvision ≫ Ds-a71024 Firmware Version <= 1.1.4
Hikvision ≫ Ds-a71048r-cvs Firmware Version <= 1.1.4
Hikvision ≫ Ds-a72024 Firmware Version <= 1.1.4
Hikvision ≫ Ds-a72048r-cvs Firmware Version <= 1.1.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 84.11% | 0.993 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| hsrc@hikvision.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.