Lucene search

CERTVDECVELIST:CVE-2022-47924

HistoryMar 27, 2023 - 1:41 p.m.

CVE-2022-47924 Arbitrary Code Execution using the validate function of csaf-validator-lib

2023-03-2713:41:21

CWE-20

CERTVDE

www.cve.org

arbitrary code execution

csaf-validator-lib

secvisogram

dos

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

An high privileged attacker may pass crafted arguments to the validate function of csaf-validator-lib of a locally installed Secvisogram in versions < 0.1.0 wich can result in arbitrary code execution and DoS once the users triggers the validation.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "csaf-validator-lib",
    "repo": "https://github.com/secvisogram/csaf-validator-lib",
    "vendor": "Secvisogram",
    "versions": [
      {
        "lessThan": "0.1.0",
        "status": "affected",
        "version": "0.0.0",
        "versionType": "semver"
      }
    ]
  }
]

References

wid.cert-bund.de/.well-known/csaf/white/2022/bsi-2022-0004.json

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

Related for CVELIST:CVE-2022-47924