CVE-2022-37027

 

Published at: - 21-09-2022 07:15

Last modified: - 22-09-2022 08:50

Total changes: - 2

Description

Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

 

Verification logic

 

Reference

• https://www.compass-security.com/en/research/advisories
• https://wiki.ahsay.com/doku.php?id=public:resources:release_notes_v9320
• https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp
• https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_latest_hotfix
• https://www.compass-security.com/fileadmin/Research/Advisories/2022_12_CSNC-2022-009_AhsayCBS_Java_Runtime_Parameter_Injection.txt

 

Keywords

NVD

 

CVE-2022-37027

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures