Cyber Resilience

CVE-2022-26111

HighPublic PoCRCE

Published: 25 April 2022

Published
25 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0737 91.9th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26111 is a high-severity Expression Language Injection (CWE-917) vulnerability in Canon Irisnext. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-26111 affects the BeanShell components of IRISNext through version 9.8.28. The vulnerability permits execution of arbitrary commands on the target server when an authenticated user creates a custom search or edits an existing or predefined document search. The search interface accepts BeanShell expressions that are evaluated without sufficient restrictions, resulting in remote code execution in the context of the IRISNext application user on the web server. The issue carries a CVSS 3.1 score of 8.8 and is associated with CWE-917.

An attacker with low-privileged access to the application can exploit the flaw over the network without user interaction. By supplying malicious BeanShell expressions inside search definitions, the attacker can run operating-system commands, potentially compromising the confidentiality, integrity, and availability of the server and any data accessible to the application account.

Public references consist of a technical advisory PDF hosted on GitHub and the vendor site at varsnext.iriscorporate.com; no specific patch or mitigation details are provided in the available information. The associated EPSS score has remained flat at 0.0737 with no material increase after disclosure.

EU & UK References

Vulnerability details

The BeanShell components of IRISNext through 9.8.28 allow execution of arbitrary commands on the target server by creating a custom search (or editing an existing/predefined search) of the documents. The search components permit adding BeanShell expressions that result in Remote…

more

Code Execution in the context of the IRISNext application user, running on the web server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

canon
irisnext
≤ 9.8.28

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References