CVE-2022-44794

Name of the Vulnerable Software and Affected Versions Object First Ootbi BETA versions 1.0.7.712 through 1.0.13.1610

Description An issue was discovered in the management protocol, allowing a remote attacker to execute arbitrary Bash code with root privileges. The command that sets the hostname does not validate input parameters, resulting in arbitrary data being sent directly to the Bash interpreter. An attacker would need credentials to exploit this issue.

Recommendations For versions 1.0.7.712 through 1.0.13.1610, update to Object First Ootbi BETA build 1.0.13.1611 to resolve the issue. As a temporary workaround, consider restricting access to the management protocol to minimize the risk of exploitation. Avoid using the hostname setting command until the issue is resolved.