Vulnerability Description
An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is Arbitrary File Upload. The BaseController class, that each of the service controllers derives from, allows for the upload of arbitrary files. If the HTTP request is a multipart/form-data POST request, any parameters with a filename entry will have their content written to a file in the Vocera upload-staging directory with the specified filename in the parameter.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vocera | Report Server | >= 5.0.0, <= 5.8.0.135 |
| Vocera | Voice Server | >= 5.0.0, <= 5.8.0.135 |
Related Weaknesses (CWE)
References
- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/Not Applicable
- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vThird Party Advisory
- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/Not Applicable
- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vThird Party Advisory
FAQ
What is CVE-2022-46899?
CVE-2022-46899 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is Arbitrary File Upload. The BaseController class, that each of the service controllers derives from, allows fo...
How severe is CVE-2022-46899?
CVE-2022-46899 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-46899?
Check the references section above for vendor advisories and patch information. Affected products include: Vocera Report Server, Vocera Voice Server.