CVE-2022-23769

Published Oct 17, 2022

Last updated 2 years ago

CVSS high 7.5
AWS

Overview

Description
Remote code execution vulnerability due to insufficient user privilege verification in reverseWall-MDS. Remote attackers can exploit the vulnerability such as stealing account, through remote code execution.
Source
vuln@krcert.or.kr
NVD status
Modified

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

vuln@krcert.or.kr
CWE-287
nvd@nist.gov
CWE-287

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. CVE-2024-31884
  2. Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.CVE-2026-5707
  3. Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.CVE-2026-5708
  4. Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.CVE-2026-5709
  5. Insufficient authentication security controls in the browser-based authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to intercept or hijack authentication sessions due to insufficient protections in the browser-based authentication flows. To remediate this issue, users should upgrade to version 2.1.0.0.CVE-2026-35561

References

Sources include official advisories and independent security research.