CVE-2022-39296

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-39296

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39296.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-39296

Aliases

GHSA-7fj2-rrq6-rphq

Published

2022-10-11T00:00:00Z

Modified

2025-12-04T10:35:45.506052Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator

Summary

Path traversal in MelisAssetManager

Details

MelisAssetManager provides deliveries of Melis Platform's assets located in every module's public folder. Attackers can read arbitrary files on affected versions of melisplatform/melis-asset-manager, leading to the disclosure of sensitive information. Conducting this attack does not require authentication. Users should immediately upgrade to melisplatform/melis-asset-manager >= 5.0.1. This issue was addressed by restricting access to files to intended directories only.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39296.json"
}

References

Affected packages

Git / github.com/melisplatform/melis-asset-manager

Affected ranges

Type: GIT
Repo: https://github.com/melisplatform/melis-asset-manager
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a0f75918c049aff78953a0bc91c585153595d1bd

Affected versions

v2.*

v2.1

v2.1.1

v2.2.0

v2.3.0

v2.4.0

v2.5.0

v2.5.1

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.1.0

v3.1.1

v3.1.2

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v4.*

v4.0.0

v4.0.1

v4.1.0

v5.*

v5.0.0