CVE-2022-2712

2023-01-2700:00:00

CWE-22

eclipse

www.cve.org

eclipse glassfish

vulnerability

remote attacker

critical data access

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

65.8%

JSON

In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with ‘./’. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code.

CNA Affected

[
  {
    "vendor": "The Eclipse Foundation",
    "product": "Eclipse GlassFish",
    "versions": [
      {
        "version": "5.1.0",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThanOrEqual": "6.2.5",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]