Lucene search

[email protected]CVE-2024-24569

HistoryFeb 01, 2024 - 7:15 p.m.

CVE-2024-24569

2024-02-0119:15:08

CWE-22

[email protected]

web.nvd.nist.gov

pixee

java

code

security

toolkit

api

vulnerability

zipsecurity

bypass

traversal

exploit

patch

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

7.5 High

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

20.0%

JSON

The Pixee Java Code Security Toolkit is a set of security APIs meant to help secure Java code. ZipSecurity#isBelowCurrentDirectory is vulnerable to a partial-path traversal bypass. To be vulnerable to the bypass, the application must use toolkit version <=1.1.1, use ZipSecurity as a guard against path traversal, and have an exploit path. Although the control still protects attackers from escaping the application path into higher level directories (e.g., /etc/), it will allow “escaping” into sibling paths. For example, if your running path is /my/app/path you an attacker could navigate into /my/app/path-something-else. This vulnerability is patched in 1.1.2.

VendorProductVersionCPE
pixeejava_code_security_toolkit*cpe:2.3:a:pixee:java_code_security_toolkit:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pixee	java_code_security_toolkit	*	cpe:2.3:a:pixee:java_code_security_toolkit::::::::

References

github.com/pixee/java-security-toolkit/blob/7c8e93e6fb2420fb6003c54a741e267c4f883bab/src/main/java/io/github/pixee/security/ZipSecurity.java#L82-L87

github.com/pixee/java-security-toolkit/commit/b885b03c9cfae53d62d239037f9654d973dd54d9

github.com/pixee/java-security-toolkit/security/advisories/GHSA-qh4g-4m4w-jgv2

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

7.5 High

AI Score

Confidence

Low

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

20.0%

JSON

Related for CVE-2024-24569

veracode1 osv1 prion1