CVE-2022-37027

Exploit

EPSS 9.32%
Published 21.09.2022 17:15:09
Last modified 28.05.2025 14:15:29
Source cve@mitre.org
Teams watchlist Login
Open Login

Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Ahsay ≫ Cloud Backup Suite Version9.1.4.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	9.32%	0.925

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

https://www.compass-security.com/en/research/advisories

Third Party Advisory

https://wiki.ahsay.com/doku.php?id=public:resources:release_notes_v9320

Vendor Advisory

Release Notes

https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp

Vendor Advisory

Product

https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_latest_hotfix

Vendor Advisory

Permissions Required

https://www.compass-security.com/fileadmin/Research/Advisories/2022_12_CSNC-2022-009_AhsayCBS_Java_Runtime_Parameter_Injection.txt