First published: Mon Aug 15 2022(Updated: )
Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2. This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack. For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation as a workaround.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Arvados Arvados | <2.4.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-36006 is a remote code execution (RCE) vulnerability in the Arvados Workbench.
CVE-2022-36006 affects Arvados versions up to and excluding 2.4.2.
CVE-2022-36006 has a severity rating of 8.8 (high).
Authenticated attackers can exploit CVE-2022-36006 by executing arbitrary code through specially crafted JSON payloads.
You can find more information about CVE-2022-36006 in the release notes, issue tracker, and security advisories provided by Arvados.