CVE-2022-48582: 
ScienceLogic SL1 Agent vulnerability analysis and mitigation

A command injection vulnerability (CVE-2022-48582) was discovered in the ScienceLogic SL1's ticket report generate feature. The vulnerability affects versions 11.1.2 and earlier, where unsanitized user-controlled input is passed directly to a shell command, potentially allowing attackers to inject arbitrary commands to the underlying operating system (Securifera).

The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs low privileges, requires no user interaction, and can result in high impacts to confidentiality, integrity, and availability (Securifera).

The successful exploitation of this vulnerability could lead to the execution of arbitrary commands on the underlying operating system, potentially compromising the confidentiality, integrity, and availability of the affected system (Securifera).

Users are advised to update to the latest version of ScienceLogic SL1 beyond version 11.1.2 to address this vulnerability (Securifera).

The disclosure timeline reveals some tension in the vulnerability reporting process. The vendor initially hired a law firm to manage disclosure and advised against CVE issuance. The vulnerability was finally disclosed publicly on August 9, 2023, after nearly a year of coordination attempts (Securifera).