Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2024-01536

Опубликовано: 01 дек. 2022
Источник: fstec
CVSS3: 7.5
CVSS2: 7.8
EPSS Низкий

Описание

Уязвимость библиотеки codeplex-codehaus фреймворка Apache Maven связана с неверным ограничением имени пути к каталогу с ограниченным доступом. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, получить несанкционированный доступ к произвольным файлам и каталогам

Вендор

Red Hat Inc.
Сообщество свободного программного обеспечения
Novell Inc.
Codehaus
Elastic NV

Наименование ПО

Red Hat Enterprise Linux
Red Hat JBoss Fuse
Debian GNU/Linux
Red Hat Software Collections
Red Hat JBoss Data Grid
SUSE Linux Enterprise Module for Development Tools
Red Hat Process Automation
Red Hat build of Quarkus
Red Hat Integration Service Registry
Red Hat Integration Camel Quarkus
Red Hat Data Grid
Red Hat JBoss Fuse Service Works
Red Hat JBoss Enterprise Application Platform Expansion Pack
SUSE Linux Enterprise High Performance Computing
Suse Linux Enterprise Server
SUSE Linux Enterprise Server for SAP Applications
SUSE Manager Proxy
SUSE Manager Server
Suse Linux Enterprise Desktop
SUSE Enterprise Storage
SUSE Manager Retail Branch Server
Red Hat Integration Change Data Capture
SUSE Linux Enterprise Real Time
SUSE Linux Enterprise Server Business Critical Linux
Decision Manager
Red Hat Integration Camel for Spring Boot
Red Hat JBoss Enterprise Application Platform
Red Hat support for Spring Boot
Red Hat Process Automation Manager
Red Hat A-MQ Online
Plexus
Red Hat Integration Camel K
Red Hat JBoss Web Server
Logstash

Версия ПО

7 (Red Hat Enterprise Linux)
7 (Red Hat JBoss Fuse)
10 (Debian GNU/Linux)
- (Red Hat Software Collections)
6 (Red Hat JBoss Fuse)
7 (Red Hat JBoss Data Grid)
15 SP2 (SUSE Linux Enterprise Module for Development Tools)
7 (Red Hat Process Automation)
- (Red Hat build of Quarkus)
- (Red Hat Integration Service Registry)
- (Red Hat Integration Camel Quarkus)
11 (Debian GNU/Linux)
12 (Debian GNU/Linux)
8 (Red Hat Data Grid)
6 (Red Hat JBoss Fuse Service Works)
- (Red Hat JBoss Enterprise Application Platform Expansion Pack)
15 SP3 (SUSE Linux Enterprise High Performance Computing)
15 SP3 (Suse Linux Enterprise Server)
15 SP3 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Proxy)
4.2 (SUSE Manager Server)
15 SP3 (Suse Linux Enterprise Desktop)
7 (SUSE Enterprise Storage)
15 SP2 (Suse Linux Enterprise Server)
15 SP2 (SUSE Linux Enterprise Server for SAP Applications)
4.1 (SUSE Manager Server)
4.1 (SUSE Manager Proxy)
15 SP2-ESPOS (SUSE Linux Enterprise High Performance Computing)
15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing)
15 SP3 (SUSE Linux Enterprise Module for Development Tools)
4.1 (SUSE Manager Retail Branch Server)
15 SP4 (Suse Linux Enterprise Server)
15 SP2 (Suse Linux Enterprise Desktop)
15 SP2 (SUSE Linux Enterprise High Performance Computing)
- (Red Hat Integration Change Data Capture)
15 SP4 (Suse Linux Enterprise Desktop)
15 SP2-BCL (Suse Linux Enterprise Server)
15 SP4 (SUSE Linux Enterprise Server for SAP Applications)
4.2 (SUSE Manager Retail Branch Server)
15 SP2-LTSS (Suse Linux Enterprise Server)
15 SP2 (SUSE Linux Enterprise Real Time)
4.3 (SUSE Manager Retail Branch Server)
4.3 (SUSE Manager Proxy)
4.3 (SUSE Manager Server)
15 SP4 (SUSE Linux Enterprise High Performance Computing)
7.1 (SUSE Enterprise Storage)
15 SP4 (SUSE Linux Enterprise Module for Development Tools)
15 SP2 (SUSE Linux Enterprise Server Business Critical Linux)
7 (Decision Manager)
- (Red Hat Integration Camel for Spring Boot)
15 SP3-LTSS (Suse Linux Enterprise Server)
15 SP3-ESPOS (SUSE Linux Enterprise High Performance Computing)
15 SP3-LTSS (SUSE Linux Enterprise High Performance Computing)
15 SP3 (SUSE Linux Enterprise Real Time)
15 SP3-BCL (Suse Linux Enterprise Server)
15 SP5 (SUSE Linux Enterprise Server for SAP Applications)
15 SP5 (Suse Linux Enterprise Server)
15 SP5 (Suse Linux Enterprise Desktop)
15 SP5 (SUSE Linux Enterprise High Performance Computing)
15 SP5 (SUSE Linux Enterprise Module for Development Tools)
15 SP4 (SUSE Linux Enterprise Real Time)
7 (Red Hat JBoss Enterprise Application Platform)
6 (Red Hat JBoss Enterprise Application Platform)
- (Red Hat support for Spring Boot)
7.13.1 (Red Hat Process Automation Manager)
- (Red Hat A-MQ Online)
15 SP4-ESPOS (SUSE Linux Enterprise High Performance Computing)
15 SP4-LTSS (SUSE Linux Enterprise High Performance Computing)
15 SP4-LTSS (Suse Linux Enterprise Desktop)
до 3.0.24 (Plexus)
15 SP4-LTSS (Suse Linux Enterprise Server)
1.10.1 (Red Hat Integration Camel K)
3 (Red Hat JBoss Web Server)
15 SP3 (SUSE Linux Enterprise Server Business Critical Linux)
8.12.1 (Logstash)

Тип ПО

Операционная система
Прикладное ПО информационных систем
Сетевое средство

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Linux 7
Сообщество свободного программного обеспечения Debian GNU/Linux 10
Сообщество свободного программного обеспечения Debian GNU/Linux 11
Сообщество свободного программного обеспечения Debian GNU/Linux 12
Novell Inc. Suse Linux Enterprise Server 15 SP3
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3
Novell Inc. Suse Linux Enterprise Desktop 15 SP3
Novell Inc. Suse Linux Enterprise Server 15 SP2
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2
Novell Inc. Suse Linux Enterprise Server 15 SP4
Novell Inc. Suse Linux Enterprise Desktop 15 SP2
Novell Inc. Suse Linux Enterprise Desktop 15 SP4
Novell Inc. Suse Linux Enterprise Server 15 SP2-BCL
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4
Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS
Novell Inc. SUSE Linux Enterprise Real Time 15 SP2
Novell Inc. SUSE Linux Enterprise Server Business Critical Linux 15 SP2
Novell Inc. Suse Linux Enterprise Server 15 SP3-LTSS
Novell Inc. SUSE Linux Enterprise Real Time 15 SP3
Novell Inc. Suse Linux Enterprise Server 15 SP3-BCL
Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP5
Novell Inc. Suse Linux Enterprise Server 15 SP5
Novell Inc. Suse Linux Enterprise Desktop 15 SP5
Novell Inc. SUSE Linux Enterprise Real Time 15 SP4
Novell Inc. Suse Linux Enterprise Desktop 15 SP4-LTSS
Novell Inc. Suse Linux Enterprise Server 15 SP4-LTSS
Novell Inc. SUSE Linux Enterprise Server Business Critical Linux 15 SP3

Уровень опасности уязвимости

Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,8)
Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 7,5)

Возможные меры по устранению уязвимости

Использование рекомендаций:
Для Plexus:
https://github.com/codehaus-plexus/plexus-utils/issues/4
https://github.com/codehaus-plexus/plexus-utils/commit/33a2853df8185b4519b1b8bfae284f03392618ef
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2022-4244
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/CVE-2022-4244
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2022-4244.html
Для Logstash:
Организационные меры:
1. Ограничить использование программного средства
2. Использование аналогичного программного средства

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 50%
0.00266
Низкий

7.5 High

CVSS3

7.8 High

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2022-4244

CVSS3: 7.5
ubuntu
больше 2 лет назад

A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.

redhat логотип

CVE-2022-4244

CVSS3: 7.5
redhat
около 3 лет назад

A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.

nvd логотип

CVE-2022-4244

CVSS3: 7.5
nvd
больше 2 лет назад

A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.

debian логотип

CVE-2022-4244

CVSS3: 7.5
debian
больше 2 лет назад

A flaw was found in codeplex-codehaus. A directory traversal attack (a ...

github логотип

GHSA-g6ph-x5wf-g337

CVSS3: 7.5
github
больше 2 лет назад

plexus-codehaus vulnerable to directory traversal

EPSS

Процентиль: 50%
0.00266
Низкий

7.5 High

CVSS3

7.8 High

CVSS2