Multiple higher-severity flaws have been uncovered in the open up resource OpenLiteSpeed Web Server as perfectly as its organization variant that could be weaponized to achieve remote code execution.
“By chaining and exploiting the vulnerabilities, adversaries could compromise the web server and get entirely privileged distant code execution,” Palo Alto Networks Unit 42 explained in a Thursday report.
OpenLiteSpeed, the open resource edition of LiteSpeed Web Server, is the sixth most well-liked web server, accounting for 1.9 million distinctive servers throughout the planet.
The 1st of the 3 flaws is a listing traversal flaw (CVE-2022-0072, CVSS rating: 5.8), which could be exploited to access forbidden information in the web root directory.
The remaining two vulnerabilities (CVE-2022-0073 and CVE-2022-0074, CVSS scores: 8.8) relate to a circumstance of privilege escalation and command injection, respectively, that could be chained to accomplish privileged code execution.
“A danger actor who managed to acquire the qualifications to the dashboard, no matter if by brute-drive assaults or social engineering, could exploit the vulnerability in order to execute code on the server,” Device 42 scientists Artur Avetisyan, Aviv Sasson, Ariel Zelivansky, and Nathaniel Quist claimed of CVE-2022-0073.
Numerous versions of OpenLiteSpeed (from 1.5.11 up to 1.7.16) and LiteSpeed (from 5.4.6 up to 6..11) are impacted by the issues, which have been tackled in variations 1.7.16.1 and 6..12 adhering to responsible disclosure on October 4, 2022.
Uncovered this post attention-grabbing? Comply with THN on Facebook, Twitter and LinkedIn to read much more exceptional material we post.
Some parts of this article are sourced from:
thehackernews.com