CVE-2022-31795

Name of the Vulnerable Software and Affected Versions Fujitsu ETERNUS CentricStor CS8000 versions prior to 8.1A SP02 P04

Description The issue is related to the possibility of command injection in the Fujitsu ETERNUS CentricStor CS8000 device. An attacker can influence the username (user), password (pw), and file-name (file) parameters and inject special characters to force the application to execute arbitrary commands. This can be done by injecting semicolons, backticks, or command-substitution sequences. The vulnerability resides in the grel finfo function in grel.php.

Recommendations For versions prior to 8.1A SP02 P04, update to version 8.1A SP02 P04 or later to resolve the issue. As a temporary workaround, consider restricting access to the grel.php file and the grel finfo function to minimize the risk of exploitation. Avoid using the parameters user, pw, and file in the affected API endpoint until the issue is resolved.