Authenticated RCE on project configuration import in Guardian/CMC before 22.0.0
CVE-2022-0551

7.2HIGH

Key Information:

Vendor: Nozomi Networks
Status: Guardian; Cmc
Vendor: CVE Published:; 24 March 2022

🔔 Create Nozomi Networks Vulnerability Alert

What is CVE-2022-0551?

Improper Input Validation vulnerability in project file upload in Nozomi Networks Guardian and CMC allows an authenticated attacker with admin or import manager roles to execute unattended commands on the appliance using web server user privileges. This issue affects: Nozomi Networks Guardian versions prior to 22.0.0. Nozomi Networks CMC versions prior to 22.0.0.

Affected Version(s)

CMC < 22.0.0

Guardian < 22.0.0

References

https://security.nozominetworks.com/NN-2022:2-02

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2022
Vulnerability Reserved
Feb 9, 2022

Credit

SECURA B.V. found this bug during a scheduled VAPT testing session.