CVE-2022-0073 - Vulnerability Details - OpenCVE

Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This affects 1.7.0 versions before 1.7.16.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Litespeedtech	Openlitespeed

Configuration 1 [-]

cpe:2.3:a:litespeedtech:openlitespeed:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565
https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565

History

Mon, 05 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2022-10-27T19:30:54.053Z

Updated: 2025-05-05T18:12:47.674Z

Reserved: 2021-12-28T23:57:03.945Z

Link: CVE-2022-0073

Vulnrichment

Updated: 2024-08-02T23:18:41.683Z

NVD

Status : Modified

Published: 2022-10-27T20:15:12.740

Modified: 2024-11-21T06:37:52.133

Link: CVE-2022-0073

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-0073", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "state": "PUBLISHED", "assignerShortName": "palo_alto", "requesterUserId": "4bdfcd35-6352-4419-9b3e-118da80d0642", "dateReserved": "2021-12-28T23:57:03.945Z", "datePublished": "2022-10-27T19:30:54.053Z", "dateUpdated": "2025-05-05T18:12:47.674Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenLiteSpeed Web Server", "repo": "https://github.com/litespeedtech/openlitespeed", "vendor": "LiteSpeed Technologies", "versions": [{"lessThan": "1.7.16.1", "status": "affected", "version": "1.7.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "LiteSpeed Web Server", "vendor": "LiteSpeed Technologies", "versions": [{"lessThan": "1.7.16.1", "status": "affected", "version": "1.7.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This affects <span style=\"background-color: rgb(255, 255, 255);\">1.7.0 </span> versions <span style=\"background-color: rgb(255, 255, 255);\">before 1.7.16.1.</span><br>"}], "value": "Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and\u00a0LiteSpeed Web Server\u00a0dashboards allows Command Injection. This affects\u00a01.7.0 versions\u00a0before 1.7.16.1.\n"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2022-11-04T20:45:23.870Z"}, "references": [{"url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565"}, {"url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565"}], "source": {"discovery": "EXTERNAL"}, "title": "Authenticated Remote Code Execution in OpenLiteSpeed Web Server", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:18:41.683Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565", "tags": ["x_transferred"]}, {"url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-05T18:10:13.071411Z", "id": "CVE-2022-0073", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T18:12:47.674Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565", "tags": ["x_transferred"]}, {"url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:18:41.683Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-0073", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-05T18:10:13.071411Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T18:10:24.360Z"}}], "cna": {"title": "Authenticated Remote Code Execution in OpenLiteSpeed Web Server", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/litespeedtech/openlitespeed", "vendor": "LiteSpeed Technologies", "product": "OpenLiteSpeed Web Server", "versions": [{"status": "affected", "version": "1.7.0", "lessThan": "1.7.16.1", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "LiteSpeed Technologies", "product": "LiteSpeed Web Server", "versions": [{"status": "affected", "version": "1.7.0", "lessThan": "1.7.16.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565"}, {"url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and\u00a0LiteSpeed Web Server\u00a0dashboards allows Command Injection. This affects\u00a01.7.0 versions\u00a0before 1.7.16.1.\n", "supportingMedia": [{"type": "text/html", "value": "Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards allows Command Injection. This affects <span style=\"background-color: rgb(255, 255, 255);\">1.7.0 </span> versions <span style=\"background-color: rgb(255, 255, 255);\">before 1.7.16.1.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2022-11-04T20:45:23.870Z"}}}, "cveMetadata": {"cveId": "CVE-2022-0073", "state": "PUBLISHED", "dateUpdated": "2025-05-05T18:12:47.674Z", "dateReserved": "2021-12-28T23:57:03.945Z", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "datePublished": "2022-10-27T19:30:54.053Z", "requesterUserId": "4bdfcd35-6352-4419-9b3e-118da80d0642", "assignerShortName": "palo_alto"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:litespeedtech:openlitespeed:*:*:*:*:*:*:*:*", "matchCriteriaId": "C73FDC55-CA39-411D-B385-4E6FF2F37706", "versionEndIncluding": "1.7.16.1", "versionStartIncluding": "1.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server and\u00a0LiteSpeed Web Server\u00a0dashboards allows Command Injection. This affects\u00a01.7.0 versions\u00a0before 1.7.16.1.\n"}, {"lang": "es", "value": "Vulnerabilidad de Improper Input Validation en los dashboards de LiteSpeed ??Technologies OpenLiteSpeed ??Web Server y LiteSpeed ??Web Server permite la Inyecci\u00f3n de comandos. Esto afecta a las versiones 1.7.0 anteriores a la 1.7.16.1."}], "id": "CVE-2022-0073", "lastModified": "2024-11-21T06:37:52.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-27T20:15:12.740", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565"}, {"source": "psirt@paloaltonetworks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16.1/dist/admin/html.open/lib/CValidation.php#L565"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/litespeedtech/openlitespeed/blob/v1.7.16/dist/admin/html.open/lib/CValidation.php#L565"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}