CVE-2022-30534
Published: 22 August 2022
Summary
CVE-2022-30534 is a high-severity OS Command Injection (CWE-78) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and the development master branch at commit 3f7c0364. The flaw, tracked as CWE-78, permits arbitrary operating system command execution when a specially crafted HTTP request is processed by the affected component.
An authenticated attacker with low privileges can exploit the issue over the network by submitting a malicious request, resulting in full compromise of confidentiality, integrity, and availability on the target system. The vulnerability carries a CVSS 3.1 base score of 8.8.
Public references point to Talos Intelligence advisory TALOS-2022-1546 for technical details and to database migration scripts in the AVideo repository (updateDb.v12.0.sql) that address the affected code paths.
EPSS scores for the CVE have remained in the 0.12 range without a pronounced rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52394
Vulnerability details
An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this…
more
vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.