CVE-2022-25842 Vulnerability Details

  /     /     /  

CVE-2022-25842 Metadata Quick Info

CVE Published: 01/05/2022 | CVE Updated: 17/09/2024 | CVE Year: 2022
Source: snyk | Vendor: n/a | Product: com.alibaba.oneagent:one-java-agent-plugin
Status : PUBLISHED

---

CVE-2022-25842 Description

All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.

Metrics

CVSS Version: 3.1 | Base Score: 6.9 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:L/E:P

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* NONE
    User Interaction (UI)* REQUIRED
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* NONE
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID:
CWE Name: Arbitrary File Write via Archive Extraction (Zip Slip)
Source: n/a

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).