CVE-2022-26111

The BeanShell components of IRISNext through 9.8.28 allow execution of arbitrary commands on the target server by creating a custom search (or editing an existing/predefined search) of the documents. The search components permit adding BeanShell expressions that result in Remote Code Execution in the context of the IRISNext application user, running on the web server.

CVSS v3 8.8 HIGH
CVSS v2.0 9.0 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-26111.pdf	Exploit Third Party Advisory
https://varsnext.iriscorporate.com/	Product Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:canon:irisnext:*:*:*:*:*:*:*:*

History

08 Aug 2023, 14:21

Type	Values Removed	Values Added
CWE	~~CWE-77~~	CWE-917

Information

Published : 2022-04-25 15:15

Updated : 2024-02-28 19:09

NVD link : CVE-2022-26111

Mitre link : CVE-2022-26111

CVE.ORG link : CVE-2022-26111

JSON object : View

Products Affected

canon

irisnext

CWE

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

{"id": "CVE-2022-26111", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-04-25T15:15:49.733", "references": [{"url": "https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-26111.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://varsnext.iriscorporate.com/", "tags": ["Product", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-917"}]}], "descriptions": [{"lang": "en", "value": "The BeanShell components of IRISNext through 9.8.28 allow execution of arbitrary commands on the target server by creating a custom search (or editing an existing/predefined search) of the documents. The search components permit adding BeanShell expressions that result in Remote Code Execution in the context of the IRISNext application user, running on the web server."}, {"lang": "es", "value": "Los componentes BeanShell de IRISNext versiones hasta 9.8.28, permiten una ejecuci\u00f3n de comandos arbitrarios en el servidor de destino mediante la creaci\u00f3n de una b\u00fasqueda personalizada (o la edici\u00f3n de una b\u00fasqueda existente/predefinida) de los documentos. Los componentes de b\u00fasqueda permiten a\u00f1adir expresiones BeanShell que resultan en una Ejecuci\u00f3n de C\u00f3digo Remota en el contexto del usuario de la aplicaci\u00f3n IRISNext, que es ejecutada en el servidor web"}], "lastModified": "2023-08-08T14:21:49.707", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:canon:irisnext:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "457406A2-793E-41C3-923F-F7C236DF97DE", "versionEndIncluding": "9.8.28"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}