CVE-2022-39987
HIGH8.8EPSS 76.5%RaspAP Command Injection vulnerability
發布日:2023/8/1修改日:2024/2/16
描述
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the `entity` POST parameters in `/ajax/networking/get_wgkey.php`.
受影響套件(1)
- Packagist/billz/raspap-webgui>= 2.8.0, < 2.9.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-39987
- PATCHhttps://github.com/RaspAP/raspap-webgui
- WEBhttps://github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_wgkey.php
- WEBhttps://github.com/RaspAP/raspap-webgui/commit/e87e7d1d3a61617430851f2a040379de1ff3dd9d
- WEBhttps://github.com/RaspAP/raspap-webgui/pull/1395
- WEBhttps://github.com/RaspAP/raspap-webgui/releases/tag/2.9.5
- WEBhttps://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2