Exploit
CVE-2022-37027

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

Published: Sep 21, 2022 / Updated: 26mo ago

010
CVSS 7.2EPSS 0.14%High
CVE info copied to clipboard

Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2022-37027. See article

Sep 21, 2022 at 5:06 PM / nitter.net
EPSS

EPSS Score was set to: 0.14% (Percentile: 49.2%)

Sep 17, 2023 at 3:15 AM
Static CVE Timeline Graph

Affected Systems

Ahsay/cloud_backup_suite
+null more

Exploits

https://www.compass-security.com/fileadmin/Research/Advisories/2022_12_CSNC-2022-009_AhsayCBS_Java_Runtime_Parameter_Injection.txt
+null more

Patches

wiki.ahsay.com
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

References

Vulnerability Summary for the Week of September 19, 2022
Original release date: September 26, 2022 Last revised: September 27, 2022 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info There were no high vulnerabilities recorded this week. Back to top Medium Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info There were no medium vulnerabilities recorded this week. Back to top Low Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info There were no low vulnerabilities recorded this week. Back to top Severity Not Yet Assigned Primary Vendor -- Product Description Published CVSS Score Source & Patch Info 10-strike -- network_inventory_explorer 10-Strike Network Inventory Explorer v9.3 was discovered to contain a buffer overflow via the Add Computers function. 2022-09-23 not yet calculated CVE-2022-38573 MISC MISC acer -- multiple_products There is a stack buffer overflow vulnerability, which could lead to arbitrary code execution in UEFI DXE driver on some Acer products. An attack could exploit this vulnerability to escalate privilege from ring 3 to ring 0, and hijack control flow during UEFI DXE execution. This affects Altos T110 F3 firmware version 2022-09-23 not yet calculated CVE-2022-30426 MISC MISC MISC adobe -- animate Adobe Animate version 21.0.11 (and earlier) and 22.0.7 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.

News

CPAI-2022-0932
The post CPAI-2022-0932 appeared first on Check Point Software .
US-CERT Bulletin (SB22-269):Vulnerability Summary for the Week of September 19, 2022
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA.
Vulnerability Summary for the Week of September 19, 2022
Original release date: September 26, 2022 Last revised: September 27, 2022 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info There were no high vulnerabilities recorded this week. Back to top Medium Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info There were no medium vulnerabilities recorded this week. Back to top Low Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info There were no low vulnerabilities recorded this week. Back to top Severity Not Yet Assigned Primary Vendor -- Product Description Published CVSS Score Source & Patch Info 10-strike -- network_inventory_explorer 10-Strike Network Inventory Explorer v9.3 was discovered to contain a buffer overflow via the Add Computers function. 2022-09-23 not yet calculated CVE-2022-38573 MISC MISC acer -- multiple_products There is a stack buffer overflow vulnerability, which could lead to arbitrary code execution in UEFI DXE driver on some Acer products. An attack could exploit this vulnerability to escalate privilege from ring 3 to ring 0, and hijack control flow during UEFI DXE execution. This affects Altos T110 F3 firmware version 2022-09-23 not yet calculated CVE-2022-30426 MISC MISC MISC adobe -- animate Adobe Animate version 21.0.11 (and earlier) and 22.0.7 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2022-37027 (cloud_backup_suite)
We person provided these links to different web sites due to the fact that they may person accusation that would beryllium of involvement to you. There whitethorn beryllium different web sites that are much due for your purpose.
🚨 NEW: CVE-2022-37027 🚨 Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runti... (click for more) Severity: HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-37027
🚨 NEW: CVE-2022-37027 🚨 Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runti... (click for more) Severity: HIGH nvd.nist.gov/vuln/detail/CVE…
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI