AhsayCBS 9.1.4.0 Runtime Options Injection RCE via Java opts
CVE-2022-37027 Published on September 21, 2022
Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.
Vulnerability Analysis
CVE-2022-37027 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-37027. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is an Argument Injection Vulnerability?
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CVE-2022-37027 has been classified to as an Argument Injection vulnerability or weakness.
Products Associated with CVE-2022-37027
Want to know whenever a new CVE is published for Ahsay Cloud Backup Suite? stack.watch will email you.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.