CVE-2022-40746 — Command Injection in IBM I Access Client Solutions

CWE-77 — Command Injection CWE-427 — Uncontrolled Search Path Element3 documents3 sources

Severity

6.7MEDIUMNVD

CNA7.2

EPSS

0.2%

top 59.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM I IBM I Access Client Solutions

Timeline

PublishedNov 21

Description

IBM i Access Family 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability. By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236581.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

▶NVDibm/i_access_client_solutions1.1.2 — 1.1.4+1

▶CVEListV5ibm/i1.1.2 — 1.1.4+1

Patches

Patch: www.ibm.com ↗Patch: www.ibm.com ↗

🔴Vulnerability Details

CVEList

CVE-2022-40746: IBM i Access Family 1↗2022-11-21

▶

GHSA

GHSA-gp43-46q6-g3r3: IBM i Access Family 1↗2022-11-21

▶