CVE-2022-1399

Name of the Vulnerable Software and Affected Versions Device42 CMDB versions 18.01.00 and prior versions.

Description The issue is related to an Argument Injection or Modification vulnerability in the Discovery component of Device42 CMDB, specifically in the "Change Secret" username field. This allows a local attacker to run arbitrary code on the appliance with root privileges. The vulnerability can also be exploited remotely by creating an auto-discovery task, potentially allowing an attacker to execute arbitrary code.

Recommendations For Device42 CMDB versions 18.01.00 and prior, update to a version that includes a fix for this issue to prevent arbitrary code execution with root privileges. At the moment, there is no information about a newer version that contains a fix for this vulnerability.