CVE-2022-45866
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-45866
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-45866.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-45866
- Published
- 2022-11-23T20:15:10Z
- Modified
- 2025-10-21T07:15:47.504594Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file.
- References
-
- https://github.com/EvgeniyPatlan/qpress/commit/ddb312090ebd5794e81bc6fb1dfb4e79eda48761
- https://github.com/PierreLvx/qpress/compare/20170415...20220819
- https://github.com/PierreLvx/qpress/pull/6
- https://github.com/percona/percona-xtrabackup/pull/1366
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQWF7635AJSDKEIGLB73XAH643POGTFY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4RXO3VYIFRTNIFHWIAZWND6ZXQ5OYOB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUZ73XT2FXLHC7I4ODLOVB4O4QN7Q7JB/
- https://pkgs.org/download/qpress
Affected packages
Git / github.com/evgeniypatlan/qpress
Affected ranges
- Type
- GIT
- Repo
- https://github.com/evgeniypatlan/qpress
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures
[
{
"deprecated": false,
"id": "CVE-2022-45866-309e3628",
"source": "https://github.com/evgeniypatlan/qpress/commit/ddb312090ebd5794e81bc6fb1dfb4e79eda48761",
"signature_version": "v1",
"target": {
"file": "qpress.cpp"
},
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"165681341996903462382724804317537371231",
"280950552592433508324645601613569106410",
"152425926461195821601733002185298632827",
"210649292688485667024453137963382803765",
"311984534777797894338883491476150618523",
"40474840347025451484466463127201989643",
"315094204636216702504697816662283079421",
"136576270636418745687106323022523000422",
"259933354616104424474613010318560943121",
"20399720491762195306154615047507393337",
"306942522876876289161269677097104108153",
"323169110135014150324121626149160976463",
"304755878154402647412962449438102229938",
"214881406235150846864073536995441500590",
"62040950797057498489736362735711511245",
"153719876602935340839125189136890419460",
"233177848015367538166113230183660859032",
"176594758305448876557826261108469078314"
]
}
},
{
"deprecated": false,
"id": "CVE-2022-45866-34fd4606",
"source": "https://github.com/evgeniypatlan/qpress/commit/ddb312090ebd5794e81bc6fb1dfb4e79eda48761",
"signature_version": "v1",
"target": {
"function": "decompress_directory",
"file": "qpress.cpp"
},
"signature_type": "Function",
"digest": {
"function_hash": "124084074116828457641346450803559922119",
"length": 1064.0
}
}
]