CVE-2022-36431

Опубликовано: 01 дек. 2022

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

An arbitrary file upload vulnerability in Rocket TRUfusion Enterprise before 7.9.6.1 allows unauthenticated attackers to execute arbitrary code via a crafted JSP file. Issue fixed in version 7.9.6.1.

Ссылки

https://docs.rocketsoftware.com/bundle/TRUfusionEnterprise_ReleaseNotes_V7.9.6.1/resource/TRUfusionEnterprise_ReleaseNotes_V7.9.6.1.pdf
Release Notes
Vendor Advisory
https://www.synacktiv.com/sites/default/files/2022-11/trufusion_enterprise_unauthenticated_arbitrary_file_write.pdf
Exploit
Third Party Advisory
https://docs.rocketsoftware.com/bundle/TRUfusionEnterprise_ReleaseNotes_V7.9.6.1/resource/TRUfusionEnterprise_ReleaseNotes_V7.9.6.1.pdf
Release Notes
Vendor Advisory
https://www.synacktiv.com/sites/default/files/2022-11/trufusion_enterprise_unauthenticated_arbitrary_file_write.pdf
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:rocketsoftware:trufusion:*:*:*:*:enterprise:*:*:*

Версия до 7.9.6.1 (исключая)

EPSS

Процентиль: 86%

0.03008

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-434

Связанные уязвимости

GHSA-hccp-2vx9-gv82