Remote Code Execution Vulnerability in StarWind SAN and NAS v0.2 build 1914 via Unchecked Hostname Parameter
CVE-2022-32268 · HIGH Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
StarWind SAN and NAS v0.2 build 1914 allow remote code execution. A flaw was found in REST API in StarWind Stack. REST command, which allows changing the hostname, doesn’t check a new hostname parameter. It goes directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges.
Learn more about our Api Penetration Testing.