OMD executes several hooks to determine configuration options (e.g. which port
to use for the site apache). These hooks are version dependent, so OMD executed
these hooks via a symlink in the site to get the hooks matching the version of
The symlinks belong to the site user in order to be able to update
the version. Since a OMD status executes those hooks as root, it was
possible for a site user to create a malicious hook and execute code as root.
All maintained versions (>=1.6) are subject to this vulnerability. It is likely
that also previous versions were vulnerable.
CVE is CVE-2022-31258.
CVSS: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 8.2
We thank Timo Klecker for reporting this issue!
To the list of all Werks