CVE-2022-25619 (GCVE-0-2022-25619)
Vulnerability from cvelistv5 – Published: 2022-03-30 14:55 – Updated: 2024-08-03 04:42
VLAI?
Summary
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in ping tool of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause run arbitrary code. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Profelis IT Consultancy | SambaBox |
Affected:
4.0 , ≤ 4.0
(custom)
|
Credits
Tugay Özçelebi
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:42:50.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.sambabox.io/sambabox-surum-4-0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"x86"
],
"product": "SambaBox",
"vendor": "Profelis IT Consultancy",
"versions": [
{
"lessThanOrEqual": "4.0",
"status": "affected",
"version": "4.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tugay \u00d6z\u00e7elebi"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in ping tool of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause run arbitrary code. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-30T14:55:17",
"orgId": "3039e14d-1e9f-46c2-98a6-44436e4ca5d5",
"shortName": "Profelis"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.sambabox.io/sambabox-surum-4-0/"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade SambaBox to 4.1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authenticated Command Injection to RCE",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@profelis.com.tr",
"ID": "CVE-2022-25619",
"STATE": "PUBLIC",
"TITLE": "Authenticated Command Injection to RCE"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SambaBox",
"version": {
"version_data": [
{
"platform": "x86",
"version_affected": "\u003c=",
"version_name": "4.0",
"version_value": "4.0"
}
]
}
}
]
},
"vendor_name": "Profelis IT Consultancy"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tugay \u00d6z\u00e7elebi"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in ping tool of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause run arbitrary code. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.sambabox.io/sambabox-surum-4-0/",
"refsource": "CONFIRM",
"url": "https://www.sambabox.io/sambabox-surum-4-0/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade SambaBox to 4.1"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "3039e14d-1e9f-46c2-98a6-44436e4ca5d5",
"assignerShortName": "Profelis",
"cveId": "CVE-2022-25619",
"datePublished": "2022-03-30T14:55:17",
"dateReserved": "2022-02-21T00:00:00",
"dateUpdated": "2024-08-03T04:42:50.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:profelis:sambabox:*:*:*:*:*:*:x86:*\", \"versionEndIncluding\": \"4.0\", \"matchCriteriaId\": \"72B249F6-F5DA-4809-AF06-D5071D3A04D3\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in ping tool of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause run arbitrary code. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86.\"}, {\"lang\": \"es\", \"value\": \"Neutralizaci\\u00f3n inadecuada de los elementos especiales utilizados en un comando (\u0027Command Injection\u0027) vulnerabilidad en la herramienta ping de Profelis IT Consultancy SambaBox permite al usuario AUTENTICADO provocar la ejecuci\\u00f3n de c\\u00f3digo arbitrario. Este problema afecta: Profelis IT Consultancy SambaBox 4.0 versi\\u00f3n 4.0 y versiones anteriores en x86\"}]",
"id": "CVE-2022-25619",
"lastModified": "2024-11-21T06:52:27.337",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"cve@profelis.com.tr\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L\", \"baseScore\": 3.8, \"baseSeverity\": \"LOW\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 0.3, \"impactScore\": 3.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 6.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 4.6, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.9, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2022-03-30T15:15:08.260",
"references": "[{\"url\": \"https://www.sambabox.io/sambabox-surum-4-0/\", \"source\": \"cve@profelis.com.tr\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://www.sambabox.io/sambabox-surum-4-0/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "cve@profelis.com.tr",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"cve@profelis.com.tr\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-25619\",\"sourceIdentifier\":\"cve@profelis.com.tr\",\"published\":\"2022-03-30T15:15:08.260\",\"lastModified\":\"2024-11-21T06:52:27.337\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in ping tool of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause run arbitrary code. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86.\"},{\"lang\":\"es\",\"value\":\"Neutralizaci\u00f3n inadecuada de los elementos especiales utilizados en un comando (\u0027Command Injection\u0027) vulnerabilidad en la herramienta ping de Profelis IT Consultancy SambaBox permite al usuario AUTENTICADO provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. Este problema afecta: Profelis IT Consultancy SambaBox 4.0 versi\u00f3n 4.0 y versiones anteriores en x86\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@profelis.com.tr\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":3.8,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.3,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":4.6,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cve@profelis.com.tr\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:profelis:sambabox:*:*:*:*:*:*:x86:*\",\"versionEndIncluding\":\"4.0\",\"matchCriteriaId\":\"72B249F6-F5DA-4809-AF06-D5071D3A04D3\"}]}]}],\"references\":[{\"url\":\"https://www.sambabox.io/sambabox-surum-4-0/\",\"source\":\"cve@profelis.com.tr\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://www.sambabox.io/sambabox-surum-4-0/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…