CVE-2022-25297

Опубликовано: 21 фев. 2022

Источник: nvd

CVSS3: 7.5

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

This affects the package drogonframework/drogon before 1.7.5. The unsafe handling of file names during upload using HttpFile::save() method may enable attackers to write files to arbitrary locations outside the designated target folder.

Ссылки

https://github.com/drogonframework/drogon/commit/3c785326c63a34aa1799a639ae185bc9453cb447
Patch
Third Party Advisory
https://github.com/drogonframework/drogon/pull/1174
Exploit
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-2407243
Exploit
Patch
Third Party Advisory
https://github.com/drogonframework/drogon/commit/3c785326c63a34aa1799a639ae185bc9453cb447
Patch
Third Party Advisory
https://github.com/drogonframework/drogon/pull/1174
Exploit
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-2407243
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:drogon:drogon:*:*:*:*:*:*:*:*

Версия до 1.7.5 (исключая)

EPSS

Процентиль: 66%

0.00515

Низкий

7.5 High

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-552

Связанные уязвимости

GHSA-5gj5-vjr8-vv8h

github

почти 4 года назад

EPSS

Процентиль: 66%

0.00515

Низкий

7.5 High

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-552