CVE-2019-25075 – io.gravitee.apim:gravitee-api-management

Package

Manager: maven
Name: io.gravitee.apim:gravitee-api-management
Vulnerable Version: >=0 <1.25.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00515 pctl0.65665

Details

Path Traversal in Gravitee API Management HTML injection combined with path traversal in the Email service in Gravitee API Management before 1.25.3 allows anonymous users to read arbitrary files via a /management/users/register request.

Metadata

Created: 2022-08-24T00:00:31Z
Modified: 2022-08-30T20:55:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-xc4w-28g8-vqm5/GHSA-xc4w-28g8-vqm5.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-xc4w-28g8-vqm5
Finding: F063
Auto approve: 1