An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component.
The vulnerability lies in the snmp4jCfgStoragePath component, which is responsible for handling the path to store the SNMP agent configuration. Identified error types (CWE-73 — external control of file name or path, CWE-284 — improper access control, CWE-502 — deserialization of untrusted data) indicate that an attacker can supply a crafted path value or deserialization payload, resulting in execution of code controlled by the attacker on the server side. The attack does not require authentication or user interaction and can be conducted remotely over the network.
An attacker can gain full control over the system running SNMP4J-Agent, including access to sensitive data, the ability to modify configuration, and potential takeover of the entire network environment managed by the agent.
Patches available from the vendor should be applied according to references. Until the fix is deployed, it is recommended to restrict network access to SNMP ports exclusively to trusted management hosts and monitor attempts of unauthorized access to the agent.
SNMP4J-Agent version 3.8.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H