CVE-2022-39987
Published: 01 August 2023
Summary
CVE-2022-39987 is a high-severity Command Injection (CWE-77) vulnerability in Raspap Raspap. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A command injection vulnerability tracked as CVE-2022-39987 affects RaspAP versions 2.8.0 through 2.9.2. The flaw resides in the /ajax/networking/get_wgkey.php endpoint and stems from insufficient sanitization of the "entity" POST parameter, enabling execution of operating-system commands. It carries a CVSS 3.1 score of 8.8 and is associated with CWE-77.
An authenticated attacker with network access can supply crafted POST data to the vulnerable endpoint and run arbitrary commands with root privileges, resulting in full compromise of confidentiality, integrity, and availability on the affected host.
Public references consist of the affected source file on GitHub and a Medium disclosure describing multiple issues in the same application; neither the references nor the CVE record provide patch or mitigation guidance. The associated EPSS score stands at 0.7647 with an identical peak value, indicating no material post-disclosure rise in exploitation probability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2235
Vulnerability details
A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.