Lucene search

AvayaCVE-2023-3722

HistoryJul 19, 2023 - 8:15 p.m.

CVE-2023-3722

2023-07-1920:15:11

CWE-434

avaya

web.nvd.nist.gov

avaya

aura

device services

web application

cve-2023-3722

os command injection

remote code execution

security vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.003

Percentile

71.3%

JSON

An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.

Affected configurations

Nvd

Node

avayaaura_device_servicesRange≤8.1.4.0

VendorProductVersionCPE
avayaaura_device_services*cpe:2.3:a:avaya:aura_device_services:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
avaya	aura_device_services	*	cpe:2.3:a:avaya:aura_device_services::::::::

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Aura Device Services",
    "vendor": "Avaya",
    "versions": [
      {
        "lessThan": "8.1.4.1",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

download.avaya.com/css/public/documents/101076366

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.003

Percentile

71.3%

JSON

Related for CVE-2023-3722