CVE-2022-4364

Summary

A vulnerability has been found in Teledyne FLIR AX8 up to 1.46.16. Affected by this issue is some unknown functionality of the file palette.php of the component Web Service Handler. The manipulation of the argument palette leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.49.16 can resolve this issue. Upgrading the affected component is advised. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities."

Affected Software

VendorProductVersion RangeStatus
Teledyne FLIRAX81.46.0affected
Teledyne FLIRAX81.46.1affected
Teledyne FLIRAX81.46.2affected
Teledyne FLIRAX81.46.3affected
Teledyne FLIRAX81.46.4affected
Teledyne FLIRAX81.46.5affected
Teledyne FLIRAX81.46.6affected
Teledyne FLIRAX81.46.7affected
Teledyne FLIRAX81.46.8affected
Teledyne FLIRAX81.46.9affected
Teledyne FLIRAX81.46.10affected
Teledyne FLIRAX81.46.11affected
Teledyne FLIRAX81.46.12affected
Teledyne FLIRAX81.46.13affected
Teledyne FLIRAX81.46.14affected
Teledyne FLIRAX81.46.15affected
Teledyne FLIRAX81.46.16affected
Teledyne FLIRAX81.49.16unaffected

Weaknesses

  • CWE-77: Command Injection
  • CWE-74: Injection

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References