CVE-2022-40337

Vulnerability

OASES (Open Aviation Strategic Engineering System) version 8.8.0.2 allows authenticated attackers to execute arbitrary code via the Open Print Folder menu. The vulnerability is classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), indicating the software includes untrusted code from an external source [2]. The affected component is the menu function [2].

Exploitation

An attacker must have valid authentication credentials to the OASES system. By interacting with the Open Print Folder menu, the attacker can trigger arbitrary code execution. The exact steps are not detailed in public references, but the attack vector suggests providing a malicious file or folder path that leads to code execution [2].

Impact

Successful exploitation allows the attacker to execute arbitrary code with the privileges of the OASES application. This can lead to complete compromise of the system, including unauthorized access, data modification, or disruption of aircraft maintenance operations [1][2].

Mitigation

No official fix or patch has been released as of the available references. Users are advised to monitor the vendor's website [1] for updates. No workarounds are documented. The affected version is OASES 8.8.0.2.