CVE-2022-39987
HIGH8.8EPSS 76.5%RaspAP Command Injection vulnerability
Published: 8/1/2023Modified: 2/16/2024
Description
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the `entity` POST parameters in `/ajax/networking/get_wgkey.php`.
Affected packages (1)
- Packagist/billz/raspap-webgui>= 2.8.0, < 2.9.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-39987
- PATCHhttps://github.com/RaspAP/raspap-webgui
- WEBhttps://github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_wgkey.php
- WEBhttps://github.com/RaspAP/raspap-webgui/commit/e87e7d1d3a61617430851f2a040379de1ff3dd9d
- WEBhttps://github.com/RaspAP/raspap-webgui/pull/1395
- WEBhttps://github.com/RaspAP/raspap-webgui/releases/tag/2.9.5
- WEBhttps://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2