GHSA-xc4w-28g8-vqm5

Suggest an improvement
Source
https://github.com/advisories/GHSA-xc4w-28g8-vqm5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-xc4w-28g8-vqm5/GHSA-xc4w-28g8-vqm5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xc4w-28g8-vqm5
Aliases
Published
2022-08-24T00:00:31Z
Modified
2023-11-08T04:01:33.041749Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Path Traversal in Gravitee API Management
Details

HTML injection combined with path traversal in the Email service in Gravitee API Management before 1.25.3 allows anonymous users to read arbitrary files via a /management/users/register request.

Database specific 
{
    "nvd_published_at": "2022-08-23T01:15:00Z",
    "github_reviewed_at": "2022-08-30T20:55:17Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Maven / io.gravitee.apim:gravitee-api-management

Package

Name
io.gravitee.apim:gravitee-api-management
View open source insights on deps.dev
Purl
pkg:maven/io.gravitee.apim/gravitee-api-management

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.25.3