CVE-2022-45639

HIGH

Sleuthkit The Sleuth Kit - OS Command Injection

Title source: rule

Description

OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter. NOTE: third parties have disputed this because there is no analysis showing that the backtick command executes outside the context of the user account that entered the command line.

Exploits (1)

exploitdb WORKING POC

by Dino Barlattani · textlocalmultiple

https://www.exploit-db.com/exploits/51225

View Code ZIP pw:eip

References (3)

[Exploit, Vendor Advisory] http://www.binaryworld.it/

[Broken Link] https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/171649/Sleuthkit-4.11.1-Command-Injection.html

Scores

CVSS v3 7.8

EPSS 0.0103

EPSS Percentile 77.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

sleuthkit/the_sleuth_kit 4.11.1

Published Jan 24, 2023

Tracked Since Feb 18, 2026