CVE-2022-46478 - OpenCVE

The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized data.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Datax-web Project	Datax-web

Configuration 1 [-]

cpe:2.3:a:datax-web_project:datax-web:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/WeiYe-Jing/datax-web/issues/587	Exploit Issue Tracking Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-01-13T00:00:00

Updated: 2023-01-13T00:00:00

Reserved: 2022-12-05T00:00:00

Link: CVE-2022-46478

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-01-13T01:15:10.090

Modified: 2023-01-23T18:00:25.200

Link: CVE-2022-46478

JSON object: View

Redhat Information

No data.

CWE

CWE-502