CVE-2022-45639

Exploit

EPSS 0.97%
Published 24.01.2023 02:15:09
Last modified 02.04.2025 15:15:47
Source cve@mitre.org
Teams watchlist Login
Open Login

OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter. NOTE: third parties have disputed this because there is no analysis showing that the backtick command executes outside the context of the user account that entered the command line.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Sleuthkit ≫ The Sleuth Kit Version4.11.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.97%	0.747

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

http://packetstormsecurity.com/files/171649/Sleuthkit-4.11.1-Command-Injection.html

http://www.binaryworld.it/

Vendor Advisory

Exploit

https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2022-45639

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-45639

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-45639

EUVD