Lucene search

GoogleOSV:CVE-2022-42002

HistoryOct 01, 2022 - 12:15 a.m.

CVE-2022-42002

2022-10-0100:15:10

Google

osv.dev

sonicjs

file overwrite

vulnerability

arbitrary file write

software

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.7%

JSON

SonicJS through 0.6.0 allows file overwrite. It has the following mutations that are used for updating files: fileCreate and fileUpdate. Both of these mutations can be called without any authentication to overwrite any files on a SonicJS application, leading to Arbitrary File Write and Delete.

CPENameOperatorVersion
sonicjseq0.0.9
sonicjseq0.1.1
sonicjseq1.0.0
sonicjseq0.4.0
sonicjseqBeta-0.3.1
sonicjseqbeta-010
sonicjseq0.4.4
sonicjseq0.5.4
sonicjseq0.4.2
sonicjseq0.3.0

Name	Operator	Version
sonicjs	eq	0.0.9
sonicjs	eq	0.1.1
sonicjs	eq	1.0.0
sonicjs	eq	0.4.0
sonicjs	eq	Beta-0.3.1
sonicjs	eq	beta-010
sonicjs	eq	0.4.4
sonicjs	eq	0.5.4
sonicjs	eq	0.4.2
sonicjs	eq	0.3.0

Rows per page:

1-10 of 141

References

github.com/lane711/sonicjs/tags

snyk.io/blog/graphql-security-static-analysis-snyk-code/

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.7%

JSON

Related for OSV:CVE-2022-42002