GHSA-vp62-m958-qj8c

Suggest an improvement
Source
https://github.com/advisories/GHSA-vp62-m958-qj8c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-vp62-m958-qj8c/GHSA-vp62-m958-qj8c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vp62-m958-qj8c
Aliases
Published
2023-01-04T00:30:26Z
Modified
2023-11-08T04:10:13.095157Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Gravitee API Management contains Path Traversal
Details

This CVE addresses the partial fix for CVE-2019-25075

Gravitee API Management before 3.15.13 allows path traversal through HTML injection. A certain HTML injection combined with path traversal in the Email service in Gravitee API Management before 3.15.13 allows anonymous users to read arbitrary files via a /management/users/register request.

A patch was published in 2019 for this vulnerability but did not appear to have solved the issue. Version 3.15.13 did remove the flaw.

References

Affected packages

Maven / io.gravitee.apim:gravitee-api-management

Package

Name
io.gravitee.apim:gravitee-api-management
View open source insights on deps.dev
Purl
pkg:maven/io.gravitee.apim/gravitee-api-management

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.15.13

Affected versions

3.*

3.5.18
3.5.19
3.5.20
3.5.21
3.5.22
3.5.23
3.5.24
3.5.25
3.5.26
3.5.27
3.5.28
3.5.29
3.5.30
3.5.31
3.8.6
3.8.7
3.9.3
3.9.4
3.10.0
3.10.1
3.10.2
3.10.3
3.10.4
3.10.5
3.10.6
3.10.7
3.10.8
3.10.9
3.10.10
3.10.11
3.10.12
3.10.13
3.10.14
3.10.15
3.10.16
3.10.17
3.10.18
3.10.19
3.10.20
3.10.21
3.11.0
3.11.1
3.11.2
3.11.3
3.12.0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.5
3.12.6
3.13.0
3.13.1
3.13.2
3.13.3
3.14.0
3.14.1
3.15.0
3.15.1
3.15.3
3.15.4
3.15.5
3.15.7
3.15.8
3.15.9
3.15.10
3.15.11
3.15.12