Headline
CVE-2022-44794: Remote code execution vulnerability in Object First - Object First
An issue was discovered in Object First 1.0.7.712. Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command that sets the hostname doesn’t validate input parameters. As a result, arbitrary data goes directly to the Bash interpreter. An attacker would need credentials to exploit this vulnerability. This is fixed in 1.0.13.1611.
Note: Object First will continue to update this vulnerability as new information becomes available.
Date: 2022-10-24
Status: Final
CVEs: TBA
- Overview
- Affected Versions
- Remediation
- Revision History
****Summary****
Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command which sets hostname doesn’t validate input parameters.
****Impact** **
As a result, arbitrary data goes directly to the Bash interpreter. An attacker should know the credentials to exploit this vulnerability.
****Vulnerability Scoring****
CVE
CVSS 3.x Score
Vector
TBA
–
–
References
Resource
Hyperlink
NIST NVD
TBA
****Affected Versions:****
Object First 1.0.7.712
Not affected versions:
N/A
****Software Versions and Fixes****
Fixed in Object First version 1.0.13.1611
****Workaround****
Update to Object First version 1.0.13.1611 or higher
****Obtaining Software Fixes** **
Software updates will be available in Object First Update Manager. You can contact Support directly via email at [email protected] or via phone at +1 800 6657145.
****Status of Notice****
Final
Object First will continue to update information regarding this vulnerability as new details become available.
This vulnerability article should be considered as the single source of current, up-to-date, authorized and accurate information posted by Object First Software.
Revision History
Revision #
Date
Comments
1.0
2022-10-24
Initial Public Release and Final Status