Device management software HCL BigFix vulnerable to commands from attackers

Device management software HCL BigFix vulnerable to commands from attackers

HCL BigFix is ​​vulnerable. Attackers could attack three security gaps in the web interface and, for example, execute their own commands. HCL BigFix is ​​a device management platform that admins can use to automate troubleshooting for company PCs, for example.

A warning message indicates that a vulnerability (CVE-2022-29078) as “critical” applies. The error can be found in the ejs package 3.1.6 for Node.js. If attacks are successful, attackers could execute their own commands. It is not yet clear how this could happen in detail.

Two other vulnerabilities (CVE-2021-43138, CVE-2022-24785) are both identified as “high” classified. They affect the components Async and Moment.js. By successfully exploiting them, attackers could acquire higher user rights.

In the warning, the developers list the versions protected against such attacks.

Visual Studio Code provides more help in resolving Git merge conflicts Previous post Visual Studio Code provides more help in resolving Git merge conflicts
The right start as a product owner - webinar by the product workers and Heise Next post The right start as a product owner – webinar by the product workers and Heise