vendor:
sleuthkit
by:
Dino Barlattani, Giuseppe Granato
7.8
CVSS
HIGH
Command injection
78
CWE
Product Name: sleuthkit
Affected Version From: 4.11.2001
Affected Version To: 4.11.2001
Patch Exists: YES
Related CWE: CVE-2022-45639
CPE: a:sleuthkit:sleuthkit:4.11.1
Platforms Tested: Linux
2023
sleuthkit 4.11.1 – Command Injection
OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter when it run on linux, a user can insert in the -m parameter a buffer with backtick with a shell command. If it run with a web application as front end it can execute commands on the remote server. The function affected by the vulnerability is "tsk_fs_fls()" from the "fls_lib.c" file.
Mitigation:
Apply the patch provided by the vendor or upgrade to the latest version of the software.