Avaya Aura Application Enablement Services weak permissions in web application

CVE-2022-2975

7.7HIGH

Key Information

Vendor: Avaya
Status: Avaya Aura Application Enablement Services
Vendor: CVE Published:; 6 October 2022

Summary

A vulnerability related to weak permissions was detected in Avaya Aura Application Enablement Services web application, allowing an administrative user to modify accounts leading to execution of arbitrary code as the root user. This issue affects Application Enablement Services versions 8.0.0.0 through 8.1.3.4 and 10.1.0.0 through 10.1.0.1. Versions prior to 8.0.0.0 are end of manufacturing support and were not evaluated.

Affected Version(s)

Avaya Aura Application Enablement Services <= 10.1.0.1

Avaya Aura Application Enablement Services <= 8.1.3.4

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Risk change from: 6.7 to: 7.7 - (HIGH)
Feb 22, 2024
Vulnerability published.
Oct 6, 2022
Vulnerability Reserved.
Aug 23, 2022

Collectors

NVD DatabaseMitre Database