Vulnerability Details : CVE-2022-2975
A vulnerability related to weak permissions was detected in Avaya Aura Application Enablement Services web application, allowing an administrative user to modify accounts leading to execution of arbitrary code as the root user. This issue affects Application Enablement Services versions 8.0.0.0 through 8.1.3.4 and 10.1.0.0 through 10.1.0.1. Versions prior to 8.0.0.0 are end of manufacturing support and were not evaluated.
Products affected by CVE-2022-2975
- Avaya » Aura Application Enablement ServicesVersions from including (>=) 10.1.0.0 and before (<) 10.1.0.2cpe:2.3:a:avaya:aura_application_enablement_services:*:*:*:*:*:*:*:*
- Avaya » Aura Application Enablement ServicesVersions from including (>=) 8.0.0.0 and before (<) 8.1.3.5cpe:2.3:a:avaya:aura_application_enablement_services:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-2975
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 12 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-2975
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.7
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
0.8
|
5.9
|
NIST | |
7.7
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
1.1
|
6.0
|
Avaya, Inc. |
CWE ids for CVE-2022-2975
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: securityalerts@avaya.com (Secondary)
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-2975
-
https://download.avaya.com/css/public/documents/101083688
ASA-2022-123Vendor Advisory
Jump to