Lucene search

[email protected]NVD:CVE-2022-39296

HistoryOct 11, 2022 - 6:15 p.m.

CVE-2022-39296

2022-10-1118:15:10

CWE-22

[email protected]

web.nvd.nist.gov

cve-2022-39296

melisassetmanager

file read

vulnerability

disclosure of sensitive information

authentication

upgrade

restriction of access

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

56.3%

JSON

MelisAssetManager provides deliveries of Melis Platform’s assets located in every module’s public folder. Attackers can read arbitrary files on affected versions of melisplatform/melis-asset-manager, leading to the disclosure of sensitive information. Conducting this attack does not require authentication. Users should immediately upgrade to melisplatform/melis-asset-manager >= 5.0.1. This issue was addressed by restricting access to files to intended directories only.

Affected configurations

Nvd

Node

melistechnologymelis-asset-managerRange<5.0.1

VendorProductVersionCPE
melistechnologymelis-asset-manager*cpe:2.3:a:melistechnology:melis-asset-manager:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
melistechnology	melis-asset-manager	*	cpe:2.3:a:melistechnology:melis-asset-manager::::::::

References

github.com/melisplatform/melis-asset-manager/commit/a0f75918c049aff78953a0bc91c585153595d1bd

github.com/melisplatform/melis-asset-manager/security/advisories/GHSA-7fj2-rrq6-rphq

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

56.3%

JSON

Related for NVD:CVE-2022-39296

cvelist1 veracode1 osv2 cve1 github1 prion1