CVE-2022-1410 - OpenCVE

OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Device42	Cmdb

Configuration 1 [-]

cpe:2.3:a:device42:cmdb:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/

History

No history.

MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published: 2022-08-16T23:30:18.676392Z

Updated: 2024-09-16T22:35:09.293Z

Reserved: 2022-04-20T00:00:00

Link: CVE-2022-1410

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-17T00:15:08.243

Modified: 2022-08-18T19:24:03.640

Link: CVE-2022-1410

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "CMDB", "vendor": "Device42", "versions": [{"lessThan": "18.01.00", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"}, {"lang": "en", "value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"}, {"lang": "en", "value": "Cristian BUZA - Security Engineer @ Bitdefender"}, {"lang": "en", "value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"}], "datePublic": "2022-08-16T00:00:00", "descriptions": [{"lang": "en", "value": "OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-16T23:30:18", "orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "shortName": "Bitdefender"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"}], "solutions": [{"lang": "en", "value": "An update to Device42 CMDB version 18.01.00 fixes the issue."}], "source": {"discovery": "EXTERNAL"}, "title": "Remote Code Execution in Device42 ApplianceManager console", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-requests@bitdefender.com", "DATE_PUBLIC": "2022-08-16T19:00:00.000Z", "ID": "CVE-2022-1410", "STATE": "PUBLIC", "TITLE": "Remote Code Execution in Device42 ApplianceManager console"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "CMDB", "version": {"version_data": [{"version_affected": "<", "version_value": "18.01.00"}]}}]}, "vendor_name": "Device42"}]}}, "credit": [{"lang": "eng", "value": "\u0218tefania POPESCU - Team Lead, Security @ Bitdefender"}, {"lang": "eng", "value": "Ionu\u021b LALU - Security Engineer @ Bitdefender"}, {"lang": "eng", "value": "Cristian BUZA - Security Engineer @ Bitdefender"}, {"lang": "eng", "value": "Alexandru LAZ\u0102R - Security Researcher @ Bitdefender"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/", "refsource": "MISC", "url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"}]}, "solution": [{"lang": "en", "value": "An update to Device42 CMDB version 18.01.00 fixes the issue."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:03:06.154Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"}]}]}, "cveMetadata": {"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "assignerShortName": "Bitdefender", "cveId": "CVE-2022-1410", "datePublished": "2022-08-16T23:30:18.676392Z", "dateReserved": "2022-04-20T00:00:00", "dateUpdated": "2024-09-16T22:35:09.293Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:device42:cmdb:*:*:*:*:*:*:*:*", "matchCriteriaId": "A0128DC2-AA38-4286-B20F-F762E2247356", "versionEndExcluding": "18.01.00", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de Inyecci\u00f3n de Comandos del Sistema Operativo en el componente db_optimize de Device42 Asset Management Appliance permite a un atacante autenticado ejecutar c\u00f3digo remoto en el dispositivo. Este problema afecta: Device42 CMDB versi\u00f3n 18.01.00 y versiones anteriores."}], "id": "CVE-2022-1410", "lastModified": "2022-08-18T19:24:03.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "cve-requests@bitdefender.com", "type": "Secondary"}]}, "published": "2022-08-17T00:15:08.243", "references": [{"source": "cve-requests@bitdefender.com", "tags": ["Third Party Advisory"], "url": "https://www.bitdefender.com/blog/labs/a-red-team-perspective-on-the-device42-asset-management-appliance/"}], "sourceIdentifier": "cve-requests@bitdefender.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "cve-requests@bitdefender.com", "type": "Secondary"}]}