CVE-2022-44794

An issue was discovered in Object First Ootbi BETA build 1.0.7.712. Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command that sets the hostname doesn't validate input parameters. As a result, arbitrary data goes directly to the Bash interpreter. An attacker would need credentials to exploit this vulnerability. This is fixed in Object First Ootbi BETA build 1.0.13.1611.
Configurations

Configuration 1 (hide)

cpe:2.3:a:objectfirst:object_first:*:*:*:*:*:*:*:*

History

01 May 2025, 18:15

Type Values Removed Values Added
CWE CWE-94

21 Nov 2024, 07:28

Type Values Removed Values Added
References () https://objectfirst.com/security/of-20221024-0001/ - Vendor Advisory () https://objectfirst.com/security/of-20221024-0001/ - Vendor Advisory

17 Mar 2023, 21:15

Type Values Removed Values Added
Summary An issue was discovered in Object First 1.0.7.712. Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command that sets the hostname doesn't validate input parameters. As a result, arbitrary data goes directly to the Bash interpreter. An attacker would need credentials to exploit this vulnerability. This is fixed in 1.0.13.1611. An issue was discovered in Object First Ootbi BETA build 1.0.7.712. Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command that sets the hostname doesn't validate input parameters. As a result, arbitrary data goes directly to the Bash interpreter. An attacker would need credentials to exploit this vulnerability. This is fixed in Object First Ootbi BETA build 1.0.13.1611.

08 Nov 2022, 04:23

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CPE cpe:2.3:a:objectfirst:object_first:*:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo
References (MISC) https://objectfirst.com/security/of-20221024-0001/ - (MISC) https://objectfirst.com/security/of-20221024-0001/ - Vendor Advisory

07 Nov 2022, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-11-07 04:15

Updated : 2025-05-01 18:15


NVD link : CVE-2022-44794

Mitre link : CVE-2022-44794

CVE.ORG link : CVE-2022-44794


JSON object : View

Products Affected

objectfirst

  • object_first
CWE
NVD-CWE-noinfo CWE-94

Improper Control of Generation of Code ('Code Injection')