CVE-2022-0848
Published: 04 March 2022
Summary
CVE-2022-0848 is a critical-severity OS Command Injection (CWE-78) vulnerability in Part-Db Project Part-Db. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-0848 is an OS command injection vulnerability, tracked as CWE-78, affecting the part-db/part-db GitHub repository in versions prior to 0.5.11. The flaw received a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction and can result in complete loss of confidentiality, integrity, and availability.
Unauthenticated remote attackers can supply crafted input that is passed to operating-system commands, enabling arbitrary command execution on the underlying server. Successful exploitation grants full control over the application and host, including the ability to read or modify data and disrupt service operation.
Public references include a GitHub commit that resolves the issue in version 0.5.11 and a detailed report on huntr.dev; administrators are therefore advised to upgrade immediately. A proof-of-concept remote-code-execution exploit has been published on Packet Storm.
The associated EPSS score stands at 0.4026 with no subsequent rise indicated.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15891
Vulnerability details
OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.