StarWind SAN and NAS v0.2 build 1914 allow remote code execution. A flaw was found in REST API in StarWind Stack. REST command, which allows changing the hostname, doesn’t check a new hostname parameter. It goes directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges.
References
Link | Resource |
---|---|
https://www.starwindsoftware.com/security/sw-20220531-0001/ | Vendor Advisory |
Configurations
History
16 Nov 2022, 16:56
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 9.0
v3 : 8.8 |
29 Aug 2022, 13:15
Type | Values Removed | Values Added |
---|---|---|
Summary | StarWind SAN and NAS v0.2 build 1914 allow remote code execution. A flaw was found in REST API in StarWind Stack. REST command, which allows changing the hostname, doesn’t check a new hostname parameter. It goes directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges. |
12 Jun 2022, 02:51
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 9.0
v3 : 7.2 |
First Time |
Starwindsoftware starwind San \& Nas
Starwindsoftware |
|
CWE | NVD-CWE-noinfo | |
CPE | cpe:2.3:a:starwindsoftware:starwind_san_\&_nas:0.2:build_1914:*:*:*:*:*:* | |
References | (MISC) https://www.starwindsoftware.com/security/sw-20220531-0001/ - Vendor Advisory |
03 Jun 2022, 06:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-06-03 06:15
Updated : 2023-12-10 14:22
NVD link : CVE-2022-32268
Mitre link : CVE-2022-32268
CVE.ORG link : CVE-2022-32268
JSON object : View
Products Affected
starwindsoftware
- starwind_san_\&_nas
CWE