CVE-2022-26846
Published: 10 March 2022
Summary
CVE-2022-26846 is a high-severity an unspecified weakness vulnerability in Debian Debian Linux. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
SPIP, a content management system, is affected by CVE-2022-26846 in all versions before 3.2.14 and 4.x before 4.0.5. The flaw permits remote authenticated users with editor privileges to execute arbitrary code on the server, carrying a CVSS 3.1 base score of 8.8 that reflects network attack vector, low complexity, and full impact on confidentiality, integrity, and availability.
An attacker who already possesses a valid editor account can exploit the issue over the network without user interaction, achieving code execution that can lead to complete system compromise. The vulnerability therefore expands the reach of any compromised or malicious editor account into full remote code execution.
Official advisories from the SPIP project and Debian recommend immediate upgrade to SPIP 3.2.14 or 4.0.5, which contain the fixes; corresponding package updates were issued for Debian stable and oldstable releases. The associated EPSS score has remained flat at 0.058 since disclosure, indicating no significant surge in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31396
Vulnerability details
SPIP before 3.2.14 and 4.x before 4.0.5 allows remote authenticated editors to execute arbitrary code.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.