Vulnerability Details CVE-2022-32268
StarWind SAN and NAS v0.2 build 1914 allow remote code execution. A flaw was found in REST API in StarWind Stack. REST command, which allows changing the hostname, doesn’t check a new hostname parameter. It goes directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.037
EPSS Ranking 87.3%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 9.0
References
Products affected by CVE-2022-32268
-
cpe:2.3:a:starwindsoftware:starwind_san_&_nas:0.2