SUMMARY

The following vulnerability was found in ScienceLogic SL1.

CVE-2022-48582

A command injection vulnerability exists in the “ticket report generate” feature of the ScienceLogic
SL1 that takes unsanitized user‐controlled input and passes it directly to a shell command. This allows
for the injection of arbitrary commands to the underlying operating system.

CVSS 3.1

8.8 (High) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AFFECTED PRODUCTS

  • ScienceLogic SL1 <= 11.1.2

SOFTWARE FIXES

Update to the latest version of ScienceLogic SL1.

TIMELINE

09.06.2022

Notified vendor of vulnerability

10.04.2022

Vendor hires law firm to manage disclosure

10.28.2023

Vendor refuses CVE issuance and disclosure

11.28.2022

Vendor’s legal team strongly advises against disclosing to MITRE

06.07.2023

Vendor notified of intent to issue CVEs and disclose vulnerabilities

08.09.2023

Public disclosure

ACKNOWLEDGMENTS

  • Christian Weiler

REFERENCES