CVE-2022-25842 – com.alibaba.oneagent:one-java-agent-plugin

Package

Manager: maven
Name: com.alibaba.oneagent:one-java-agent-plugin
Vulnerable Version: >=0 <0.0.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.02707 pctl0.85341

Details

Path Traversal in com.alibaba.oneagent:one-java-agent-plugin All versions of package `com.alibaba.oneagent:one-java-agent-plugin` are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. `../../evil.exe`). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.

Metadata

Created: 2022-05-03T00:00:44Z
Modified: 2022-05-20T21:17:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hr3-j9mc-xmq2/GHSA-9hr3-j9mc-xmq2.json
CWE IDs: ["CWE-22", "CWE-29"]
Alternative ID: GHSA-9hr3-j9mc-xmq2
Finding: F063
Auto approve: 1