CVE-2022-30708
Published: 15 May 2022
Summary
CVE-2022-30708 is a high-severity an unspecified weakness vulnerability in Webmin Webmin. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Webmin through version 1.991 is affected by a remote code execution vulnerability when the Authentic theme is in use. The flaw stems from settings-editor_write.cgi failing to properly restrict the file parameter, but only impacts users who were created manually rather than through Virtualmin or Cloudmin. The issue carries a CVSS 3.1 base score of 8.8.
An authenticated attacker with a manually provisioned account can supply a crafted file parameter to the affected CGI script and achieve arbitrary code execution on the server. No special user interaction or high privileges beyond a standard Webmin login are required for successful exploitation.
Public references point to a fix committed in the Webmin repository and updated releases of the Authentic theme that address the parameter handling weakness. The associated GitHub issue and proof-of-concept exploit code further document the root cause and remediation steps. The EPSS score has remained low with only minor movement between its current value of 0.0471 and peak of 0.0542.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52538
Vulnerability details
Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.