Lucene search

Veracode Vulnerability DatabaseVERACODE:43035

HistoryAug 31, 2023 - 4:48 a.m.

Path Traversal

2023-08-3104:48:42

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

pf4j

path traversal

extract function

unzip.java

path validation

zippluginpath parameter

sensitive information

arbitrary code

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

52.4%

JSON

PF4J is vulnerable to Path Traversal. The vulnerability exists in the extract function in Unzip.java due to a lack of path validation which allows an attacker to obtain sensitive information and execute arbitrary code via the zippluginPath parameter.

CPENameOperatorVersion
pf4jle3.9.0
pf4jle3.9.0

CPE	Name	Operator	Version
	pf4j	le	3.9.0
	pf4j	le	3.9.0

References

github.com/advisories/GHSA-3r28-rgp9-qgv4

github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72

github.com/pf4j/pf4j/issues/526

github.com/pf4j/pf4j/issues/536

github.com/pf4j/pf4j/pull/538

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.002 Low

EPSS

Percentile

52.4%

JSON

Related for VERACODE:43035