Lucene search

GitHub Advisory DatabaseGHSA-3G5W-6PW7-6HRP

HistoryJan 27, 2023 - 12:30 p.m.

Path Traversal In Eclipse GlassFish

2023-01-2712:30:29

CWE-22

GitHub Advisory Database

github.com

eclipse glassfish

path traversal

vulnerability

remote attack

configuration files

source code

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

65.8%

JSON

In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with ‘./’. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code.

Affected configurations

Vulners

Node

org.glassfish.main.webwebRange5.1.0–7.0.0

VendorProductVersionCPE
org.glassfish.main.webweb*cpe:2.3:a:org.glassfish.main.web:web:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.glassfish.main.web	web	*	cpe:2.3:a:org.glassfish.main.web:web::::::::

References

bugs.eclipse.org/580502

github.com/advisories/GHSA-3g5w-6pw7-6hrp

github.com/eclipse-ee4j/glassfish/pull/24077

nvd.nist.gov/vuln/detail/CVE-2022-2712

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

65.8%

JSON

Related for GHSA-3G5W-6PW7-6HRP