PT-2022-22971 · Kvf-Admin · Kvf-Admin
Alter1125
·
Published
2022-07-13
·
Updated
2023-08-08
·
CVE-2022-35857
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
kvf-admin through 2022-02-12
Description
The issue allows remote attackers to execute arbitrary code because deserialization is mishandled. The
rememberMe parameter is encrypted with a hardcoded key from the com.kalvin.kvf.common.shiro.ShiroConfig file.Recommendations
For kvf-admin through 2022-02-12, consider disabling the deserialization of the
rememberMe parameter until a patch is available. Restrict access to the com.kalvin.kvf.common.shiro.ShiroConfig file to minimize the risk of exploitation. Avoid using the rememberMe parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kvf-Admin