CVE-2022-26019 — Path Traversal in Pfsense

CWE-22 — Path Traversal3 documents3 sources

Severity

8.8HIGHNVD

EPSS

1.1%

top 21.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netgate Pfsense Netgate Pfsense Plus Pfsense CE AND Pfsense Plus

Timeline

PublishedMar 31

Latest updateApr 1

Description

Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDnetgate/pfsense_plus< 22.01

▶CVEListV5pfsense/pfsense_ce_and_pfsense_pluspfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01

▶NVDnetgate/pfsense< 2.6.0

Patches

Patch: docs.netgate.com ↗Patch: jvn.jp ↗Patch: docs.netgate.com ↗

🔴Vulnerability Details

GHSA

GHSA-q5q3-h939-p643: Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2↗2022-04-01

▶

CVEList

CVE-2022-26019: Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2↗2022-03-31

▶