CVE-2022-46902 – Securifera

CVE-2022-46902b0yd2023-07-12T17:06:51+00:00

SUMMARY

The following vulnerability was found in Vocera Report Console.

CVE-2022-46902

Vocera Report Console contains a path traversal vulnerability in the unzip operation (ZipSlip) of the SQL import web endpoint in the Report Console software on versions before 5.6.0

CVSS 3.1

10 (Critical) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AFFECTED PRODUCTS

Vocera Report Console <= 5.6.0

SOFTWARE FIXES

Update to the latest version of Vocera Report Console.

TIMELINE

10.20.2022

Notified vendor of vulnerability

10.25.2022

Vendor acknowledges vulnerability

12.16.2022

Vulnerabilities confirmed & CVEs reserved

01.20.2023

Patches Released

02.27.2023

Vendor delays public disclosure

03.27.2023

Public disclosure

ACKNOWLEDGMENTS

Ryan Wincey (b0yd)

REFERENCES