CVE-2022-24552

A flaw was found in the REST API in StarWind Stack. REST command, which manipulates a virtual disk, doesnt check input parameters. Some of them go directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges. This affects StarWind SAN and NAS v0.2 build 1633.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
VendorProductVersion
starwindsoftwarenas
𝑥
< 0.2
starwindsoftwaresan
𝑥
< 0.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.starwindsoftware.com/security/sw-20220203-0001/
https://www.starwindsoftware.com/security/sw-20220203-0001/