CVE-2022-24552: OS Command Injection
First published: Sun Feb 06 2022(Updated: )
A flaw was found in the REST API in StarWind Stack. REST command, which manipulates a virtual disk, doesn’t check input parameters. Some of them go directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges. This affects StarWind SAN and NAS v0.2 build 1633.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Starwindsoftware Nas | <0.2 | |
| Starwindsoftware San | <0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this flaw?
The vulnerability ID for this flaw is CVE-2022-24552.
What is the severity level of CVE-2022-24552?
The severity level of CVE-2022-24552 is critical.
What is the affected software?
The affected software is StarWind Stack version up to and excluding 0.2, including Starwindsoftware Nas and Starwindsoftware San.
What is the CWE ID for this vulnerability?
The CWE ID for this vulnerability is CWE-78.
How can an attacker exploit this vulnerability?
An attacker with non-root user access can inject arbitrary data into a REST command that manipulates a virtual disk, which will be executed with root privileges.
- collector/nvd-api
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/severity
- agent/weakness
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- vendor/starwindsoftware
- canonical/starwindsoftware nas
- canonical/starwindsoftware san