CVE-2022-1703 — OS Command Injection in SMA 210 Firmware

CWE-78 — OS Command Injection CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer7 documents6 sources

Severity

8.8HIGHNVD

CISA7.8

EPSS

4.1%

top 11.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sonicwall SMA 210 Firmware Sonicwall SMA 410 Firmware Sonicwall SMA 500v Firmware +1 more

Timeline

PublishedJun 8

Latest updateJun 9

Description

Improper neutralization of special elements in the SonicWall SSL-VPN SMA100 series management interface allows a remote authenticated attacker to inject OS Commands which potentially leads to remote command execution vulnerability or denial of service (DoS) attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5sonicwall/sma10010.2.0.9-41sv and earlier, 10.2.1.4-31sv and earlier+1

▶NVDsonicwall/sma_210_firmware10.2.1.4-31sv+1

▶NVDsonicwall/sma_410_firmware10.2.1.4-31sv+1

▶NVDsonicwall/sma_500v_firmware10.2.1.4-31sv+1

🔴Vulnerability Details

GHSA

GHSA-hqg7-64v9-2fg6: Improper neutralization of special elements in the SonicWall SSL-VPN SMA100 series management interface allows a remote authenticated attacker to inje↗2022-06-09

▶

CVEList

CVE-2022-1703: Improper neutralization of special elements in the SonicWall SSL-VPN SMA100 series management interface allows a remote authenticated attacker to inje↗2022-06-03

▶

VulnCheck

SonicWall sma_210_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')↗2022

▶

📋Vendor Advisories

CISA

Microsoft Malware Protection Engine Improper Restriction of Operations Vulnerability↗2022-03-03

▶