{"api_version":"1","generated_at":"2026-04-17T06:05:49+00:00","cve":"CVE-2022-0551","urls":{"html":"https://cve.report/CVE-2022-0551","api":"https://cve.report/api/cve/CVE-2022-0551.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-0551","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-0551"},"summary":{"title":"CVE-2022-0551","description":"Improper Input Validation vulnerability in project file upload in Nozomi Networks Guardian and CMC allows an authenticated attacker with admin or import manager roles to execute unattended commands on the appliance using web server user privileges. This issue affects: Nozomi Networks Guardian versions prior to 22.0.0. Nozomi Networks CMC versions prior to 22.0.0.","state":"PUBLIC","assigner":"prodsec@nozominetworks.com","published_at":"2022-03-24 15:15:00","updated_at":"2022-03-30 18:11:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"https://security.nozominetworks.com/NN-2022:2-02","name":"https://security.nozominetworks.com/NN-2022:2-02","refsource":"CONFIRM","tags":[],"title":"NN-2022:2-02 - Authenticated RCE on project configuration import in Guardian/CMC before 22.0.0 - CVE-2022-0551 | Product Security Incident Response Portal","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-0551","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0551","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"SECURA B.V. found this bug during a scheduled VAPT testing session.","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"551","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nozominetworks","cpe5":"cmc","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"551","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nozominetworks","cpe5":"guardian","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"prodsec@nozominetworks.com","ID":"CVE-2022-0551","STATE":"PUBLIC","TITLE":"Authenticated RCE on project configuration import in Guardian/CMC before 22.0.0"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Guardian","version":{"version_data":[{"version_affected":"<","version_value":"22.0.0"}]}},{"product_name":"CMC","version":{"version_data":[{"version_affected":"<","version_value":"22.0.0"}]}}]},"vendor_name":"Nozomi Networks"}]}},"credit":[{"lang":"eng","value":"SECURA B.V. found this bug during a scheduled VAPT testing session."}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Improper Input Validation vulnerability in project file upload in Nozomi Networks Guardian and CMC allows an authenticated attacker with admin or import manager roles to execute unattended commands on the appliance using web server user privileges. This issue affects: Nozomi Networks Guardian versions prior to 22.0.0. Nozomi Networks CMC versions prior to 22.0.0."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":6.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20 Improper Input Validation"}]}]},"references":{"reference_data":[{"name":"https://security.nozominetworks.com/NN-2022:2-02","refsource":"CONFIRM","url":"https://security.nozominetworks.com/NN-2022:2-02"}]},"solution":[{"lang":"eng","value":"Upgrade to v22.0.0."}],"source":{"advisory":"https://security.nozominetworks.com/NN-2022:2-02","discovery":"INTERNAL"},"work_around":[{"lang":"eng","value":"Use internal firewall features to limit management interface access and review users allowed to import project data files.\n"}]},"nvd":{"publishedDate":"2022-03-24 15:15:00","lastModifiedDate":"2022-03-30 18:11:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nozominetworks:cmc:*:*:*:*:*:*:*:*","versionEndExcluding":"22.0.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nozominetworks:guardian:*:*:*:*:*:*:*:*","versionEndExcluding":"22.0.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"551","Ordinal":"228111","Title":"CVE-2022-0551","CVE":"CVE-2022-0551","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"551","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}