GHSA-9hr3-j9mc-xmq2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9hr3-j9mc-xmq2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hr3-j9mc-xmq2/GHSA-9hr3-j9mc-xmq2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9hr3-j9mc-xmq2
- Aliases
-
- CVE-2022-25842
- Published
- 2022-05-03T00:00:44Z
- Modified
- 2023-11-08T04:08:48.762806Z
- Severity
-
- 6.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:L CVSS Calculator
- Summary
- Path Traversal in com.alibaba.oneagent:one-java-agent-plugin
- Details
-
All versions of package
com.alibaba.oneagent:one-java-agent-pluginare vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g.../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. - Database specific
{ "nvd_published_at": "2022-05-01T16:15:00Z", "github_reviewed_at": "2022-05-20T21:17:03Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-22", "CWE-29" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-25842
- https://github.com/alibaba/one-java-agent/pull/29
- https://github.com/alibaba/one-java-agent/pull/29/commits/359603b63fc6c59d8b57e061c171954bab3433bf
- https://github.com/alibaba/one-java-agent/pull/29/commits/b5b437f9f4c8cbfe7bdbe266e975a4bd513c13fe
- https://github.com/alibaba/one-java-agent
- https://github.com/alibaba/one-java-agent/blob/1f399a2299a8a409d15ea6111a7098629b8f1050/one-java-agent-plugin/src/main/java/com/alibaba/oneagent/utils/IOUtils.java
- https://snyk.io/vuln/SNYK-JAVA-COMALIBABAONEAGENT-2407874
Affected packages
Maven / com.alibaba.oneagent:one-java-agent-plugin
Package
- Name
- com.alibaba.oneagent:one-java-agent-plugin
- View open source insights on deps.dev
- Purl
- pkg:maven/com.alibaba.oneagent/one-java-agent-plugin