CVE-2022-32268 : StarWind SAN and NAS v0.2 build 1914 allow remote code execution. A flaw was fou

StarWind SAN and NAS v0.2 build 1914 allow remote code execution. A flaw was found in REST API in StarWind Stack. REST command, which allows changing the hostname, doesn’t check a new hostname parameter. It goes directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges.

Published 2022-06-03 06:15:08

Updated 2022-11-16 16:56:13

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2022-32268

Starwindsoftware » Starwind San & Nas » Version: 0.2 Update Build 1914
cpe:2.3:a:starwindsoftware:starwind_san_\&_nas:0.2:build_1914:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-32268

EPSS FAQ

3.46%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 87 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-32268

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.0	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:C	8.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2022-32268

https://www.starwindsoftware.com/security/sw-20220531-0001/

CVE-2022-32268 Remote code execution in StarWind products
Vendor Advisory

Jump to

Vulnerability Details : CVE-2022-32268

Products affected by CVE-2022-32268

Exploit prediction scoring system (EPSS) score for CVE-2022-32268

CVSS scores for CVE-2022-32268

References for CVE-2022-32268