CVE-2022-2712

2023-01-2710:15:09

CWE-22

eclipse

web.nvd.nist.gov

cve-2022-2712

eclipse glassfish

path traversal

security vulnerability

remote attacker

unauthenticated access

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.4

Confidence

High

EPSS

0.003

Percentile

65.8%

JSON

In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with ‘./’. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code.

Affected configurations

Nvd

Node

eclipseglassfishRange5.1.0–6.2.5

VendorProductVersionCPE
eclipseglassfish*cpe:2.3:a:eclipse:glassfish:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
eclipse	glassfish	*	cpe:2.3:a:eclipse:glassfish::::::::

CNA Affected

[
  {
    "vendor": "The Eclipse Foundation",
    "product": "Eclipse GlassFish",
    "versions": [
      {
        "version": "5.1.0",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThanOrEqual": "6.2.5",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]