Avaya Aura Application Enablement Services weak permissions in web application
CVE-2022-2975

7.7HIGH

Key Information:

Vendor: Avaya
Status: Avaya Aura Application Enablement Services
Vendor: CVE Published:; 6 October 2022

Summary

A vulnerability related to weak permissions was detected in Avaya Aura Application Enablement Services web application, allowing an administrative user to modify accounts leading to execution of arbitrary code as the root user. This issue affects Application Enablement Services versions 8.0.0.0 through 8.1.3.4 and 10.1.0.0 through 10.1.0.1. Versions prior to 8.0.0.0 are end of manufacturing support and were not evaluated.

Affected Version(s)

Avaya Aura Application Enablement Services 10.1.x <= 10.1.0.1

Avaya Aura Application Enablement Services 8.x <= 8.1.3.4

References

https://download.avaya.com/css/public/documents/101083688

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 6, 2022
Vulnerability Reserved
Aug 23, 2022