CVE-2022-48584

Vulnerability

A command injection vulnerability exists in the download and convert report feature of ScienceLogic SL1 [1]. The application takes unsanitized user-controlled input and passes it directly to a shell command [1]. This allows for the injection of arbitrary commands to the underlying operating system [1]. Affected versions are ScienceLogic SL1 11.1.2 and earlier [1].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted requests to the download and convert report endpoint [1]. No authentication is required to reach the vulnerable feature [1]. The attacker simply needs network access to the SL1 appliance [1].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the web server user [1]. This can lead to full compromise of the SL1 appliance [1], including data exfiltration, installation of backdoors, or further lateral movement within the network.

Mitigation

ScienceLogic released a fix in version 11.1.3 and later [1]. Users should update to the latest version of ScienceLogic SL1 [1]. No workarounds have been publicly disclosed [1].