CVE-2022-37027

Exploit

EPSS 9.32%
Veröffentlicht 21.09.2022 17:15:09
Zuletzt bearbeitet 28.05.2025 14:15:29
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ahsay ≫ Cloud Backup Suite Version9.1.4.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	9.32%	0.925

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

https://www.compass-security.com/en/research/advisories

Third Party Advisory

https://wiki.ahsay.com/doku.php?id=public:resources:release_notes_v9320

Vendor Advisory

Release Notes

https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp

Vendor Advisory

Product

https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_latest_hotfix

Vendor Advisory

Permissions Required

https://www.compass-security.com/fileadmin/Research/Advisories/2022_12_CSNC-2022-009_AhsayCBS_Java_Runtime_Parameter_Injection.txt