← Back to CVEs

CVE-2022-36006

HIGH

7.9

Description

Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2. This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack. For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation as a workaround.

CVE Details

CVSS v3.1 Score7.9

SeverityHIGH

CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

Attack VectorNETWORK

ComplexityHIGH

Privileges RequiredLOW

User InteractionREQUIRED

Published8/15/2022

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

arvados:arvados

Weaknesses (CWE)

CWE-94CWE-502CWE-502

References

https://arvados.org/release-notes/2.4.2/(security-advisories@github.com)

https://dev.arvados.org/issues/19316(security-advisories@github.com)

https://github.com/arvados/arvados/security/advisories/GHSA-8867-q4xf-cqgm(security-advisories@github.com)

https://arvados.org/release-notes/2.4.2/(af854a3a-2127-422b-91ae-364da2661108)

https://dev.arvados.org/issues/19316(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/arvados/arvados/security/advisories/GHSA-8867-q4xf-cqgm(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.