CVE-2022-38130
Last modified
CVE-2022-38130 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. EPSS estimates a 53.39% chance of exploitation in the next 30 days.
Description
The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip() method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file (i.e., \\<attacker-host>\sms\<attacker-db.zip>), effectively controlling the content of the database to be restored.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Keysight | Sensor Management Server | 2.4.0 |
References
- https://www.tenable.com/security/research/tra-2022-28Third Party Advisory
- https://www.tenable.com/security/research/tra-2022-28Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-38130?
How severe is CVE-2022-38130?
How do I fix CVE-2022-38130?
Are you affected by CVE-2022-38130?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST