CVE-2022-39815

Name of the Vulnerable Software and Affected Versions NOKIA 1350 OMS version R14.2

Description The issue is related to multiple OS Command Injection vulnerabilities. These vulnerabilities allow unauthenticated users to execute commands on the operating system. The vulnerabilities occur via specific API endpoints, including "/CGI-BIN/OTNE 1-14/runBatch.cgi" through the file HTTP POST parameter, "/CGI-BIN/OTNE 1-14/getRadioTLs.cgi" via the context HTTP POST parameter, "/CGI-BIN/OTNE 1-14/runRouteReport.cgi" via the file HTTP POST parameter, and "/CGI-BIN/RemoteCommandManager.cgi" via the command HTTP POST parameter.

Recommendations For NOKIA 1350 OMS version R14.2, consider disabling access to the vulnerable API endpoints "/CGI-BIN/OTNE 1-14/runBatch.cgi", "/CGI-BIN/OTNE 1-14/getRadioTLs.cgi", "/CGI-BIN/OTNE 1-14/runRouteReport.cgi", and "/CGI-BIN/RemoteCommandManager.cgi" until a patch is available. Restrict the use of the file, context, and command HTTP POST parameters in these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.