CVE-2022-32409
Published: 14 July 2022
Summary
CVE-2022-32409 is a critical-severity Path Traversal (CWE-22) vulnerability in Softwarepublico I3Geo. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-32409 is a local file inclusion vulnerability in the codemirror.php component of Portal do Software Publico Brasileiro i3geo version 7.0.5. Tracked as CWE-22, the flaw allows an attacker to execute arbitrary PHP code by supplying a crafted HTTP request and is rated 9.8 under CVSS 3.1.
The issue is remotely exploitable by unauthenticated attackers over the network without credentials or user interaction. Successful exploitation yields complete compromise of confidentiality, integrity, and availability on the affected server.
The supplied references consist of a public proof-of-concept and OWASP guidance on local file inclusion testing; they contain no information on official patches or mitigation steps. The EPSS score reached a peak of 0.7059 and currently stands at 0.6655.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-35482
Vulnerability details
A local file inclusion (LFI) vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.