CVE-2022-32268 — Starwind SAN NAS vulnerability

3 documents3 sources

Severity

8.8HIGHNVD

EPSS

4.5%

top 10.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Starwindsoftware Starwind SAN NAS

Timeline

PublishedJun 3

Latest updateJun 4

Description

StarWind SAN and NAS v0.2 build 1914 allow remote code execution. A flaw was found in REST API in StarWind Stack. REST command, which allows changing the hostname, doesn’t check a new hostname parameter. It goes directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDstarwindsoftware/starwind_san_nas0.2

🔴Vulnerability Details

GHSA

GHSA-cgq8-x9fm-m5vm: StarWind SAN and NAS v0↗2022-06-04

▶

CVEList

CVE-2022-32268: StarWind SAN and NAS v0↗2022-06-03

▶