CVE-2022-39296

2022-10-1118:15:10

CWE-22

[email protected]

web.nvd.nist.gov

cve-2022-39296

melisassetmanager

file read

security vulnerability

nvd

information disclosure

upgrade

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

7.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.4%

JSON

MelisAssetManager provides deliveries of Melis Platform’s assets located in every module’s public folder. Attackers can read arbitrary files on affected versions of melisplatform/melis-asset-manager, leading to the disclosure of sensitive information. Conducting this attack does not require authentication. Users should immediately upgrade to melisplatform/melis-asset-manager >= 5.0.1. This issue was addressed by restricting access to files to intended directories only.

Affected configurations

Vulners

NVD

Node

melisplatformmelis_asset_managerRange≤5.0.0

CPENameOperatorVersion
melistechnology:melis-asset-managermelistechnology melis-asset-managerlt5.0.1

CPE	Name	Operator	Version
melistechnology:melis-asset-manager	melistechnology melis-asset-manager	lt	5.0.1

CNA Affected

[
  {
    "vendor": "melisplatform",
    "product": "melis-asset-manager",
    "versions": [
      {
        "version": "<= 5.0.0",
        "status": "affected"
      }
    ]
  }
]