CVE-2022-36006 : Arvados is an open source platform for managing, processing, and sharing genomic

Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2. This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack. For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation as a workaround.

Published 2022-08-15 11:21:40

Updated 2023-06-29 16:18:37

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2022-36006

Arvados » Arvados » For Ruby
Versions before (<) 2.4.2
cpe:2.3:a:arvados:arvados:*:*:*:*:*:ruby:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-36006

EPSS FAQ

0.52%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 64 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-36006

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.9	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L	1.3	6.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: Low

CWE ids for CVE-2022-36006

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: security-advisories@github.com (Secondary)
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2022-36006

https://github.com/arvados/arvados/security/advisories/GHSA-8867-q4xf-cqgm

Authenticated remote code execution due to insecure deserialization (GHSL-2022-063) · Advisory · arvados/arvados · GitHub
Third Party Advisory
https://arvados.org/release-notes/2.4.2/

Arvados 2.4.2 Release Notes | Arvados
Vendor Advisory
https://dev.arvados.org/issues/19316

Bug #19316: Audit usage of Oj gem & make sure to use safe_load or replace with different gem - Arvados
Issue Tracking;Vendor Advisory

Jump to

Vulnerability Details : CVE-2022-36006

Products affected by CVE-2022-36006

Exploit prediction scoring system (EPSS) score for CVE-2022-36006

CVSS scores for CVE-2022-36006

CWE ids for CVE-2022-36006

References for CVE-2022-36006