Lucene search

[email protected]CVE-2022-25299

HistoryFeb 18, 2022 - 1:15 p.m.

CVE-2022-25299

2022-02-1813:15:00

CWE-552

[email protected]

web.nvd.nist.gov

cve

2022

25299

package

cesanta

mongoose

unsafe handling

file names

upload

mg_http_upload

attackers

write files

arbitrary locations

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

64.7%

JSON

This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder.

CPENameOperatorVersion
cesanta:mongoosecesanta mongooselt7.6

CPE	Name	Operator	Version
cesanta:mongoose	cesanta mongoose	lt	7.6

References

github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945

snyk.io/vuln/SNYK-UNMANAGED-CESANTAMONGOOSE-2404180

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

64.7%

JSON

Related for CVE-2022-25299

osv1 prion1 debiancve1 openvas1 ubuntucve1