Vulnerability Description
Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ahsay | Cloud Backup Suite | 9.1.4.0 |
Related Weaknesses (CWE)
References
- https://wiki.ahsay.com/doku.php?id=public:resources:release_notes_v9320Release NotesVendor Advisory
- https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.ProductVendor Advisory
- https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_latPermissions RequiredVendor Advisory
- https://www.compass-security.com/en/research/advisoriesThird Party Advisory
- https://www.compass-security.com/fileadmin/Research/Advisories/2022_12_CSNC-2022ExploitThird Party Advisory
- https://wiki.ahsay.com/doku.php?id=public:resources:release_notes_v9320Release NotesVendor Advisory
- https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.ProductVendor Advisory
- https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_latPermissions RequiredVendor Advisory
- https://www.compass-security.com/en/research/advisoriesThird Party Advisory
- https://www.compass-security.com/fileadmin/Research/Advisories/2022_12_CSNC-2022ExploitThird Party Advisory
FAQ
What is CVE-2022-37027?
CVE-2022-37027 is a vulnerability with a CVSS score of 7.2 (HIGH). Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options...
How severe is CVE-2022-37027?
CVE-2022-37027 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-37027?
Check the references section above for vendor advisories and patch information. Affected products include: Ahsay Cloud Backup Suite.