CVE-2022-37298

CVSS 9.8 CRITICALEPSS 2.0%CWE-287

Vexday Risk Score

48Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.8EPSS 2.0%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

13 Oct 2022Public PoC

20 Oct 2022Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Shinken Solutions Shinken Monitoring Version 2.4.3 affected is vulnerable to Incorrect Access Control. The SafeUnpickler class found in shinken/safepickle.py implements a weak authentication scheme when unserializing objects passed from monitoring nodes to the Shinken monitoring server.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

public PoCs found — 1

githubgithub.com/dbyio/cve-2022-37298★ 3

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/dbyio/cve-2022-37298 https://github.com/naparuba/shinken/commit/2dae40fd1e713aec9e1966a0ab7a580b9180cff2