CVE-2022-0073 - OpenCVE

Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This affects 1.7.0 versions before 1.7.16.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Litespeedtech	Openlitespeed

Configuration 1 [-]

cpe:2.3:a:litespeedtech:openlitespeed:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565
https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565

History

No history.

MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2022-10-27T19:30:54.053Z

Updated: 2024-08-02T23:18:41.683Z

Reserved: 2021-12-28T23:57:03.945Z

Link: CVE-2022-0073

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-27T20:15:12.740

Modified: 2023-11-07T03:40:56.557

Link: CVE-2022-0073

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-0073", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "state": "PUBLISHED", "assignerShortName": "palo_alto", "requesterUserId": "4bdfcd35-6352-4419-9b3e-118da80d0642", "dateReserved": "2021-12-28T23:57:03.945Z", "datePublished": "2022-10-27T19:30:54.053Z", "dateUpdated": "2024-08-02T23:18:41.683Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenLiteSpeed Web Server", "repo": "https://github.com/litespeedtech/openlitespeed", "vendor": "LiteSpeed Technologies", "versions": [{"lessThan": "1.7.16.1", "status": "affected", "version": "1.7.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "LiteSpeed Web Server", "vendor": "LiteSpeed Technologies", "versions": [{"lessThan": "1.7.16.1", "status": "affected", "version": "1.7.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This affects <span style=\"background-color: rgb(255, 255, 255);\">1.7.0 </span> versions <span style=\"background-color: rgb(255, 255, 255);\">before 1.7.16.1.</span><br>"}], "value": "Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and\u00a0LiteSpeed Web Server\u00a0dashboards allows Command Injection. This affects\u00a01.7.0 versions\u00a0before 1.7.16.1.\n"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2022-11-04T20:45:23.870Z"}, "references": [{"url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565"}, {"url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565"}], "source": {"discovery": "EXTERNAL"}, "title": "Authenticated Remote Code Execution in OpenLiteSpeed Web Server", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:18:41.683Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565", "tags": ["x_transferred"]}, {"url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:litespeedtech:openlitespeed:*:*:*:*:*:*:*:*", "matchCriteriaId": "C73FDC55-CA39-411D-B385-4E6FF2F37706", "versionEndIncluding": "1.7.16.1", "versionStartIncluding": "1.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and\u00a0LiteSpeed Web Server\u00a0dashboards allows Command Injection. This affects\u00a01.7.0 versions\u00a0before 1.7.16.1.\n"}, {"lang": "es", "value": "Vulnerabilidad de Improper Input Validation en los dashboards de LiteSpeed ??Technologies OpenLiteSpeed ??Web Server y LiteSpeed ??Web Server permite la Inyecci\u00f3n de comandos. Esto afecta a las versiones 1.7.0 anteriores a la 1.7.16.1."}], "id": "CVE-2022-0073", "lastModified": "2023-11-07T03:40:56.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}]}, "published": "2022-10-27T20:15:12.740", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565"}, {"source": "psirt@paloaltonetworks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}]}