Vulnerability Details : CVE-2022-37027
Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.
Vulnerability category: Execute code
Products affected by CVE-2022-37027
- cpe:2.3:a:ahsay:cloud_backup_suite:9.1.4.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-37027
0.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-37027
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2022-37027
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-37027
-
https://wiki.ahsay.com/doku.php?id=public:resources:release_notes_v9320
v9.3.2.0 Release Notes (27-Jun-2022) [Ahsay Wiki]Release Notes;Vendor Advisory
-
https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_latest_hotfix
Permissions Required;Vendor Advisory
-
https://www.compass-security.com/fileadmin/Research/Advisories/2022_12_CSNC-2022-009_AhsayCBS_Java_Runtime_Parameter_Injection.txt
Exploit;Third Party Advisory
-
https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp
Download AhsayCBS Latest Version - Ahsay BackupProduct;Vendor Advisory
-
https://www.compass-security.com/en/research/advisories
Advisories - Compass SecurityThird Party Advisory
Jump to