← Back

CVE-2022-24989

nvd nist
Published: Aug 20, 2023Modified: Nov 21, 2024

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.

Affected (1)

Terra Master
1 product
Terramaster Operating System
Configuration A
1 vulnerable · 29 platform
Vulnerable SoftwareAffected Versions
Terramaster Operating System
Before 4.2.31
Running on/withPlatform Versions
Terra Master
F2 210
All versions
Terra Master
F2 221
All versions
Terra Master
F2 223
All versions
Terra Master
F2 422
All versions
Terra Master
F2 423
All versions
Terra Master
F4 421
All versions
Terra Master
F4 422
All versions
Terra Master
F4 423
All versions
Terra Master
F5 221
All versions
Terra Master
F5 422
All versions
Terra Master
T12 423
All versions
Terra Master
T12 450
All versions
Terra Master
T6 423
All versions
Terra Master
T9 423
All versions
Terra Master
T9 450
All versions
Terra Master
U12 322 9100
All versions
Terra Master
U12 423
All versions
Terra Master
U12 722 2224
All versions
Terra Master
U16 322 9100
All versions
Terra Master
U16 722 2224
All versions
Terra Master
U24 722 2224
All versions
Terra Master
U4 111
All versions
Terra Master
U4 211
All versions
Terra Master
U4 423
All versions
Terra Master
U8 111
All versions
Terra Master
U8 322 9100
All versions
Terra Master
U8 423
All versions
Terra Master
U8 522 9400
All versions
Terra Master
U8 722 2224
All versions

Related CWEs

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (10)

Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Release Notes
Source: cve@mitre.org
Exploit
Source: cve@mitre.org
Exploit
Source: cve@mitre.org
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release Notes
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry

Timeline

No history available yet.