Vulnerabilities > CVE-2022-40238 - Deserialization of Untrusted Data vulnerability in Cert Vince

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

cert

CWE-502

NVD

Published: 2022-10-26

Updated: 2022-10-28

Summary

A Remote Code Injection vulnerability exists in CERT software prior to version 1.50.5. An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed.

Vulnerable Configurations

Part	Description	Count
Application	Cert Cert Vince - Cert Vince 1.48.0 Cert Vince 1.49.0 Cert Vince 1.50.0 Cert Vince 1.50.1 Cert Vince 1.50.2 Cert Vince 1.50.3 Cert Vince 1.50.4	8

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity