Skip to main content

Deception CVE-2022-24392

HIGH
OS Command Injection (CWE-78)
2022-05-17 security@fidelissecurity.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
May 17, 2022 - 20:15 nvd
HIGH 8.8

DescriptionNVD

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “feed_comm_test” value for the “feed” parameter. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response via an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.

AnalysisAI

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “feed_comm_test” value for the “feed” parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “feed_comm_test” value for the “feed” parameter. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response via an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability. Affected products include: Fidelissecurity Deception, Fidelissecurity Network. Version information: prior to 9.4.5..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.

CVE-2021-35048 CRITICAL POC
9.8 Jun 25

Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interfa

CVE-2021-35049 HIGH POC
8.8 Jun 25

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web inter

CVE-2021-35047 HIGH POC
8.8 Jun 25

Vulnerability in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker

CVE-2021-35050 HIGH POC
7.5 Jun 25

User credentials stored in a recoverable format within Fidelis Network and Deception CommandPost. Rated high severity (C

CVE-2022-24394 HIGH
8.8 May 17

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web inter

CVE-2022-24393 HIGH
8.8 May 17

Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web inter

CVE-2022-24391 HIGH
8.8 May 17

Vulnerability in Fidelis Network and Deception CommandPost enables SQL injection through the web interface by an attacke

CVE-2022-24390 HIGH
8.8 May 17

Vulnerability in rconfig “remote_text_file” enables an attacker with user level access to the CLI to inject user level c

CVE-2022-24389 HIGH
8.8 May 17

Vulnerability in rconfig “cert_utils” enables an attacker with user level access to the CLI to inject root level command

CVE-2022-24388 HIGH
8.8 May 17

Vulnerability in rconfig “date” enables an attacker with user level access to the CLI to inject root level commands into

CVE-2022-0997 HIGH
7.8 May 17

Improper file permissions in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables

CVE-2022-0486 HIGH
7.8 May 17

Improper file permissions in the CommandPost, Collector, Sensor, and Sandbox components of Fidelis Network and Deception

Share

CVE-2022-24392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy