CVE-2022-44794 Remote code execution vulnerability in Object First

Note: Object First will continue to update this vulnerability as new information becomes available.

Date: 2022-10-24

Status: Final

CVEs: CVE-2022-44794


Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command which sets hostname doesn’t validate input parameters.


As a result, arbitrary data goes directly to the Bash interpreter. An attacker should know the credentials to exploit this vulnerability.

Vulnerability Scoring

CVE CVSS 3.x Score Vector
CVE-2022-44794 8.8 (HIGH)  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H



Resource Hyperlink

Affected Versions:

Object First

Not affected versions:


Software Versions and Fixes

Fixed in Object First version


Update to Object First version or higher

Obtaining Software Fixes 

Software updates will be available in Object First Update Manager. You can contact Support directly via email at or via phone at +1 800 6657145.

Status of Notice


Object First will continue to update information regarding this vulnerability as new details become available.

This vulnerability article should be considered as the single source of current, up-to-date, authorized and accurate information posted by Object First Software.

Revision History 

Revision # Date Comments
1.0 2022-10-24 Initial Public Release and Final Status
2.0 2022-11-08 Added CVE number and NVD reference