CVE-2022-46899

An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is Arbitrary File Upload. The BaseController class, that each of the service controllers derives from, allows for the upload of arbitrary files. If the HTTP request is a multipart/form-data POST request, any parameters with a filename entry will have their content written to a file in the Vocera upload-staging directory with the specified filename in the parameter.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vocera:report_server:*:*:*:*:*:*:*:*
cpe:2.3:a:vocera:voice_server:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:31

Type Values Removed Values Added
References () https://www.stryker.com/us/en/about/governance/cyber-security/product-security/ - Not Applicable () https://www.stryker.com/us/en/about/governance/cyber-security/product-security/ - Not Applicable
References () https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html - Third Party Advisory () https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html - Third Party Advisory

01 Aug 2023, 01:28

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:vocera:report_server:*:*:*:*:*:*:*:*
cpe:2.3:a:vocera:voice_server:*:*:*:*:*:*:*:*
First Time Vocera
Vocera report Server
Vocera voice Server
CWE CWE-434
References (MISC) https://www.stryker.com/us/en/about/governance/cyber-security/product-security/ - (MISC) https://www.stryker.com/us/en/about/governance/cyber-security/product-security/ - Not Applicable
References (MISC) https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html - (MISC) https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html - Third Party Advisory

25 Jul 2023, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-25 20:15

Updated : 2024-11-21 07:31


NVD link : CVE-2022-46899

Mitre link : CVE-2022-46899

CVE.ORG link : CVE-2022-46899


JSON object : View

Products Affected

vocera

  • voice_server
  • report_server
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type