cbcvebase.
CVE-2022-0074
published 2022-10-27

CVE-2022-0074: Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server Container allows Privilege Escalation. This…

PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
1.15%
63.0th percentile
Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server Container allows Privilege Escalation. This affects versions from 1.6.15 before 1.7.16.1.

Affected

3 ranges
VendorProductVersion rangeFixed in
litespeed_technologieslitespeed_web_server>= 1.6.15 < 1.7.16.11.7.16.1
litespeed_technologiesopenlitespeed_web_server>= 1.6.15 < 1.7.16.11.7.16.1
litespeedtechopenlitespeed>= 1.6.15 < 1.7.16.11.7.16.1

Detection & IOCsextracted from sources · hover to see the quote

path/usr/local/bin
filenameentrypoint.sh
snort
93190
snort
93191
  • Monitor for unexpected files placed in /usr/local/bin by the 'nobody' user, particularly files masquerading as legitimate binaries such as 'grep'. This is the core exploitation primitive for CVE-2022-0074.
  • Alert on file write events to /usr/local/bin performed by the 'nobody' process account within OpenLiteSpeed/LiteSpeed Docker containers, as this directory is writable by nobody by default in the vulnerable container image.
  • Detect privilege escalation from 'nobody' to 'root' in OpenLiteSpeed containers by monitoring process lineage where a root-owned script (entrypoint.sh) spawns a child process whose binary resolves from /usr/local/bin rather than a system path.
  • ·The privilege escalation is only exploitable in environments where /usr/local/bin is writable by the 'nobody' user. This is a non-default misconfiguration on standard Linux systems but is present by default in the vulnerable OpenLiteSpeed Docker container image (ols-dockerfiles repository).
  • ·Affected version range: OpenLiteSpeed 1.5.11 up to 1.7.16 and LiteSpeed Enterprise 5.4.6 up to 6.0.11. Patched versions are OpenLiteSpeed v1.7.16.1 and LiteSpeed v6.0.12.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.