CVE-2022-45639

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-45639
OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter. NOTE: third parties have disputed this because there is no analysis showing that the backtick command executes outside the context of the user account that entered the command line.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://packetstormsecurity.com/files/171649/Sleuthkit-4.11.1-Command-Injection.html
http://www.binaryworld.it/ Exploit Vendor Advisory
https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639 Broken Link
Configurations

Configuration 1 (hide)

cpe:2.3:a:sleuthkit:the_sleuth_kit:4.11.1:*:*:*:*:*:*:*
History

11 Apr 2024, 01:17

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de OS Command Injection en la herramienta sleuthkit fls versión 4.11.1 permite a atacantes ejecutar comandos arbitrarios a través de un valor manipulado en el parámetro m. NOTA: terceros han cuestionado esto porque no hay ningún análisis que muestre que el comando de acento grave se ejecute fuera del contexto de la cuenta de usuario que ingresó a la línea de comando.

07 Nov 2023, 03:54

Type Values Removed Values Added
Summary ** DISPUTED ** OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter. NOTE: third parties have disputed this because there is no analysis showing that the backtick command executes outside the context of the user account that entered the command line. OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter. NOTE: third parties have disputed this because there is no analysis showing that the backtick command executes outside the context of the user account that entered the command line.

03 Apr 2023, 20:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/171649/Sleuthkit-4.11.1-Command-Injection.html -

02 Feb 2023, 15:32

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.8 		v2 : unknown
v3 : 7.8

01 Feb 2023, 10:15

Type Values Removed Values Added
Summary OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter. ** DISPUTED ** OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter. NOTE: third parties have disputed this because there is no analysis showing that the backtick command executes outside the context of the user account that entered the command line.

31 Jan 2023, 15:58

Type Values Removed Values Added
CWE CWE-78
CPE cpe:2.3:a:sleuthkit:the_sleuth_kit:4.11.1:*:*:*:*:*:*:*
References (MISC) https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639 - (MISC) https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639 - Broken Link
References (MISC) http://www.binaryworld.it/ - (MISC) http://www.binaryworld.it/ - Exploit, Vendor Advisory
First Time Sleuthkit the Sleuth Kit
Sleuthkit
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8

24 Jan 2023, 02:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-01-24 02:15

Updated : 2024-04-11 01:17

NVD link : CVE-2022-45639

Mitre link : CVE-2022-45639

CVE.ORG link : CVE-2022-45639

JSON object : View

Products Affected

sleuthkit

  • the_sleuth_kit
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')