CVE-2022-40238 A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5

2022-10-2615:15:45

CWE-502

certcc

www.cve.org

remote code injection

cert software

version 1.50.5

arbitrary pickle object

code execution

authenticated attacker

9.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.8%

JSON

A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user’s profile. This can lead to code execution on the server when the user’s profile is accessed.

CNA Affected

[
  {
    "versions": [
      {
        "version": "1.48.0",
        "status": "affected",
        "lessThan": "1.50.5",
        "versionType": "custom"
      }
    ],
    "product": "VINCE - The Vulnerability Information and Coordination Environment",
    "vendor": "CERT/CC"
  }
]

References

github.com/CERTCC/VINCE/issues?q=label%3Asecurity