CVE-2022-22951

CVE Database · CVE-2022-22951

CVE-2022-22951

· CRITICALModified

CVSS v3.1

9.1

EPSS

21.93%

Published

Mar 23, 2022

Modified

Nov 21, 2024

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2) contains an OS command injection vulnerability. An authenticated, high privileged malicious actor with network access to the VMware App Control administration interface may be able to execute commands on the server due to improper input validation leading to remote code execution.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78

Affected Products (5)

vmware · carbon_black_app_control (up to 8.5.14)vulnerable

vmware · carbon_black_app_control (up to 8.6.6)vulnerable

vmware · carbon_black_app_control (up to 8.7.4)vulnerable

vmware · carbon_black_app_control (up to 8.8.2)vulnerable

microsoft · windows

References (2)

https://www.vmware.com/security/advisories/VMSA-2022-0008.html

PatchVendor Advisory

https://www.vmware.com/security/advisories/VMSA-2022-0008.html

PatchVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs