SUMMARY

The following vulnerability was found in ScienceLogic SL1.

CVE-2022-48581

A command injection vulnerability exists in the “dash export” feature of the ScienceLogic SL1 that
takes unsanitized user‐controlled input and passes it directly to a shell command. This allows for the
injection of arbitrary commands to the underlying operating system.

CVSS 3.1

8.8 (High) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AFFECTED PRODUCTS

  • ScienceLogic SL1 <= 11.1.2

SOFTWARE FIXES

Update to the latest version of ScienceLogic SL1.

TIMELINE

09.06.2022

Notified vendor of vulnerability

10.04.2022

Vendor hires law firm to manage disclosure

10.28.2023

Vendor refuses CVE issuance and disclosure

11.28.2022

Vendor’s legal team strongly advises against disclosing to MITRE

06.07.2023

Vendor notified of intent to issue CVEs and disclose vulnerabilities

08.09.2023

Public disclosure

ACKNOWLEDGMENTS

  • Christian Weiler

REFERENCES