CVE-2022-24082

Published: Jul 19, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture.

Affected (1)

Products: Pega: Infinity

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pega Infinity	From 8.1.0 to 8.7.3

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (4)

http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.html

Source: security@pega.com

ExploitThird Party AdvisoryVDB Entry

https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0

Source: security@pega.com

Vendor Advisory

http://packetstormsecurity.com/files/169480/Pega-Platform-8.7.3-Remote-Code-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://support.pega.com/support-doc/pega-security-advisory-b22-vulnerability-%E2%80%93-hotfix-matrix-0

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.