Several high-severity flaws have been discovered in the open-source OpenLiteSpeed web server, as well as its enterprise variant, which could be used for remote code execution.
OpenLiteSpeed is the open-source version of LiteSpeed Web Server, the sixth most popular web server with 1.9 million unique servers worldwide.
The first of the three flaws is a directory traversal flaw (CVE-2022-0072, CVSS score: 5.8), which can be exploited to access forbidden files in the main web directory.
The remaining two vulnerabilities (CVE-2022-0073 and CVE-2022-0074, CVSS scores: 8.8) are related to an elevation of privilege and command injection case, respectively, which can be chained to achieve privileged code execution.
Unit 42 researchers Arthur Avtesian, Aviv Sassoon, Ariel Zlivansky, and Nathaniel Quist said of CVE-2022-0073: “A threat actor that was able to gain dashboard credentials, either through brute-force attacks or social engineering, could This vulnerability can be exploited to execute code on the server.
Several versions of OpenLiteSpeed (from 1.5.11 to 1.7.16) and LiteSpeed (from 5.4.6 to 6.0.11) are affected by these problems, which in versions 1.7.16 .1 and 6.0.12 have been patched after the official disclosure on October 4, 2022.