CVE-2022-24552

Name of the Vulnerable Software and Affected Versions StarWind SAN and NAS version 0.2 build 1633

Description A flaw was found in the REST API in StarWind Stack, where the REST command that manipulates a virtual disk does not check input parameters. Some of these parameters are directly executed as part of a bash script, allowing an attacker with non-root user access to inject arbitrary data into the command, which will be executed with root privileges.

Recommendations For StarWind SAN and NAS version 0.2 build 1633, consider restricting access to the REST API until a patch is available. As a temporary workaround, avoid using the REST command that manipulates virtual disks to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.