CVE-2022-2975 HIGH

CVE-2022-2975: Avaya Aura Application Enablement Services weak permissions in web application

Vendor Avaya
Product Avaya Aura Application Enablement Services
Weakness CWE-269
Published October 6, 2022
Last update August 3, 2024

CVSS base score

7.7/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability related to weak permissions was detected in Avaya Aura Application Enablement Services web application, allowing an administrative user to modify accounts leading to execution of arbitrary code as the root user. This issue affects Application Enablement Services versions 8.0.0.0 through 8.1.3.4 and 10.1.0.0 through 10.1.0.1. Versions prior to 8.0.0.0 are end of manufacturing support and were not evaluated.

Key dates

02Disclosure timeline

October 6, 2022 CVE published
August 3, 2024 Record updated