QwikSec

Security Database

CVE

CWE

Training

CVE-2022-37027

Published: Sep 21, 2022

Modified: May 28, 2025

PUBLISHED

Description

Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.ahsay.com/jsp/en/downloads/ahsay-downloads_latest-software_ahsaycbs.jsp

x_refsource_MISC

https://www.compass-security.com/en/research/advisories

x_refsource_MISC

https://wiki.ahsay.com/doku.php?id=public:resources:release_notes_v9320

x_refsource_MISC

https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_latest_hotfix

x_refsource_CONFIRM

https://www.compass-security.com/fileadmin/Research/Advisories/2022_12_CSNC-2022-009_AhsayCBS_Java_Runtime_Parameter_Injection.txt

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.