← Retour aux CVEs

CVE-2022-36006

HIGH

7.9

Description

Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2. This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack. For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation as a workaround.

Details CVE

Score CVSS v3.17.9

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

Vecteur d'attaqueNETWORK

ComplexiteHIGH

Privileges requisLOW

Interaction utilisateurREQUIRED

Publie8/15/2022

Derniere modification11/21/2024

Sourcenvd

Observations honeypot0

Produits affectes

arvados:arvados

Faiblesses (CWE)

CWE-94CWE-502CWE-502

References

https://arvados.org/release-notes/2.4.2/(security-advisories@github.com)

https://dev.arvados.org/issues/19316(security-advisories@github.com)

https://github.com/arvados/arvados/security/advisories/GHSA-8867-q4xf-cqgm(security-advisories@github.com)

https://arvados.org/release-notes/2.4.2/(af854a3a-2127-422b-91ae-364da2661108)

https://dev.arvados.org/issues/19316(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/arvados/arvados/security/advisories/GHSA-8867-q4xf-cqgm(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.