CVE-2022-22909
published 2022-03-03CVE-2022-22909: HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the…
PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
45.43%
98.6th percentile
HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | hoteldruid | < hoteldruid 3.0.4-1 (bookworm) | hoteldruid 3.0.4-1 (bookworm) |
| digitaldruid | hoteldruid | — | — |
| digitaldruid | hoteldruid | >= 0 < 3.0.4-1 | 3.0.4-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /visualizza_tabelle.php where the 'n_app' (room name) field contains PHP template injection payloads such as '${...}' or system() calls. ↗
- →Alert on GET requests to /dati/selectappartamenti.php containing a 'cmd' query parameter, which indicates active RCE exploitation of the planted webshell. ↗
- →The exploit checks for privilege by looking for the string 'Modify' in the response from visualizza_tabelle.php; monitor for repeated unauthenticated or low-privilege probes to this endpoint. ↗
- →Successful RCE is confirmed by the presence of 'uid=' in the HTTP response body from selectappartamenti.php, indicating command output from a Unix system() call. ↗
- →The vulnerability is triggered via the 'Create New Room' module (n_app field); inspect HotelDruid room name entries in the database for PHP code injection strings. ↗
- ·The exploit supports a '--noauth' mode, meaning the HotelDruid dashboard may be deployed without authentication, making the attack possible without credentials. ↗
- ·Fixed in HotelDruid version 3.0.4-1 (Debian bookworm/sid); bullseye remains open at time of advisory. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2022-22909: hoteldruid - HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulner...
vendor_debian·2022·CVSS 8.8
CVE-2022-22909 [HIGH] CVE-2022-22909: hoteldruid - HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulner...
HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module.
Scope: local
bookworm: resolved (fixed in 3.0.4-1)
bullseye: open
sid: resolved (fixed in 3.0.4-1)
GHSA
GHSA-mgcc-qmq4-wwgm: HotelDruid v3
ghsa_unreviewed·2022-03-04
CVE-2022-22909 [HIGH] CWE-94 GHSA-mgcc-qmq4-wwgm: HotelDruid v3
HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module.
OSV
CVE-2022-22909: HotelDruid v3
osv·2022-03-03·CVSS 8.8
CVE-2022-22909 [HIGH] CVE-2022-22909: HotelDruid v3
HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module.
No detection rules found.
No writeups or analysis indexed.
2022-03-03
Published