CVE-2022-36006

CVSS V2 None CVSS V3 High 8.8

Description

Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2. This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack. For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation as a workaround.

Overview

CVE ID
CVE-2022-36006

Assigner
security-advisories@github.com

Vulnerability Status
Analyzed

Published Version
2022-08-15T11:21:40

Last Modified Date
2022-08-16T17:00:52

Weakness Enumerations

CWE	URL
CWE-94	http://cwe.mitre.org/data/definitions/94.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:arvados:arvados::::::ruby::*	1	OR		2.4.2

CVSS Version 3

Version
3.1

Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NETWORK

Attack Compatibility
LOW

Privileges Required
LOW

User Interaction
NONE

Scope
UNCHANGED

Confidentiality Impact
HIGH

Availability Impact
HIGH

Base Score
8.8

Base Severity
HIGH

Exploitability Score
2.8

Impact Score
5.9

References

Reference URL	Reference Tags
https://arvados.org/release-notes/2.4.2/
https://dev.arvados.org/issues/19316
https://github.com/arvados/arvados/security/advisories/GHSA-8867-q4xf-cqgm

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2022-36006
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36006

History

Created	Old Value	New Value	Data Type	Notes
2022-08-15 12:00:07				Added to TrackCVE