CVE-2022-45921 – io.fusionauth:fusionauth-java-client

Package

Manager: maven
Name: io.fusionauth:fusionauth-java-client
Vulnerable Version: >=1.37.0 <1.41.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00244 pctl0.47595

Details

FusionAuth vulnerable to directory traversal attack FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request. To be specific, an attacker may be able to view or retrieve any file readable by the user running the FusionAuth process.

Metadata

Created: 2022-11-28T21:30:21Z
Modified: 2022-12-03T04:09:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-rmcx-fg5w-x8j9/GHSA-rmcx-fg5w-x8j9.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-rmcx-fg5w-x8j9
Finding: F063
Auto approve: 1