PT-2022-16582 · Siemens · Sinec Nms+1
Published
2022-03-08
·
Updated
2023-10-10
·
CVE-2022-24282
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SINEC NMS versions 1.0.3 and later, prior to 2.0
SINEC NMS versions prior to 1.0.3
SINEMA Server V14 (all versions)
Description
A security issue has been found that allows the upload of JSON objects which are then deserialized into Java objects. This insecure deserialization of user-supplied content could be exploited by a privileged attacker, who could send a maliciously crafted serialized Java object to execute arbitrary code on the device with root privileges.
Recommendations
For SINEC NMS versions 1.0.3 and later, prior to 2.0, update to a version that addresses the insecure deserialization issue.
For SINEC NMS versions prior to 1.0.3, update to a version that addresses the insecure deserialization issue.
For SINEMA Server V14, update to a version that addresses the insecure deserialization issue.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sinec Nms
Sinema Server