GHSA-4gjr-vgfx-9qvw

Опубликовано: 12 дек. 2022

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

AList vulnerable to Improper Preservation of Permissions

Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one). Version 3.5.1 contains a patch.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2022-45968
https://github.com/alist-org/alist/issues/2444
https://github.com/alist-org/alist/commit/85e1350af82e1759ca6580895e48ab969eb566cf

Пакеты

Наименование

github.com/alist-org/alist/v3

Затронутые версииВерсия исправления

< 3.5.1

3.5.1

EPSS

Процентиль: 60%

0.004

Низкий

8.8 High

CVSS3

CVE ID

CVE-2022-45968

Дефекты

CWE-281

CWE-434

Связанные уязвимости

CVE-2022-45968

CVSS3: 8.8

nvd

около 3 лет назад

Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one).

EPSS

Процентиль: 60%

0.004

Низкий

8.8 High

CVSS3

CVE ID

CVE-2022-45968

Дефекты

CWE-281

CWE-434