cvelistv5 - cve-2022-32287

CVE-2022-32287 (GCVE-0-2022-32287)

Vulnerability from cvelistv5 – Published: 2022-11-03 00:00 – Updated: 2025-05-02 20:24

Summary

A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.

Severity ?

No CVSS data available.

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/57vk0d79j94d0lk0v…
	http://www.openwall.com/lists/oss-security/2022/11/03/4	mailing-list

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache UIMA	Affected: Java SDK , ≤ 3.3.0 (custom)

Credits

Apache UIMA would like to thank Huangzhicong from CodeSafe Team of Legendsec at Qi'anxin Group

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:39:50.666Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
          },
          {
            "name": "[oss-security] 20221103 CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-32287",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-02T20:24:12.849015Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-02T20:24:43.887Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache UIMA",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "3.3.0",
              "status": "affected",
              "version": "Java SDK",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache UIMA would like to thank Huangzhicong from CodeSafe Team of Legendsec at Qi\u0027anxin Group"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "low"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-03T00:00:00.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
        },
        {
          "name": "[oss-security] 20221103 CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-32287",
    "datePublished": "2022-11-03T00:00:00.000Z",
    "dateReserved": "2022-06-03T00:00:00.000Z",
    "dateUpdated": "2025-05-02T20:24:43.887Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:uimaj:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"3.3.0\", \"matchCriteriaId\": \"38551E47-3B39-469A-A59C-FA02819BD0B8\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de path traversal en una clase FileUtil utilizada por el componente de administraci\\u00f3n PEAR de Apache UIMA permite a un atacante crear archivos fuera del directorio de destino designado utilizando nombres de entrada ZIP cuidadosamente manipulados. Este problema afecta a Apache UIMA Apache UIMA versi\\u00f3n 3.3.0 y versiones anteriores. Tenga en cuenta que los archivos PEAR nunca deben instalarse en una instalaci\\u00f3n UIMA desde fuentes que no sean de confianza porque los archivos PEAR son complementos ejecutables que podr\\u00e1n realizar cualquier acci\\u00f3n con los mismos privilegios que la m\\u00e1quina virtual Java host.\"}]",
      "id": "CVE-2022-32287",
      "lastModified": "2024-11-21T07:06:06.527",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2022-11-03T12:15:09.743",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/03/4\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/03/4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-32287\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-11-03T12:15:09.743\",\"lastModified\":\"2025-05-02T21:15:17.520\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de path traversal en una clase FileUtil utilizada por el componente de administraci\u00f3n PEAR de Apache UIMA permite a un atacante crear archivos fuera del directorio de destino designado utilizando nombres de entrada ZIP cuidadosamente manipulados. Este problema afecta a Apache UIMA Apache UIMA versi\u00f3n 3.3.0 y versiones anteriores. Tenga en cuenta que los archivos PEAR nunca deben instalarse en una instalaci\u00f3n UIMA desde fuentes que no sean de confianza porque los archivos PEAR son complementos ejecutables que podr\u00e1n realizar cualquier acci\u00f3n con los mismos privilegios que la m\u00e1quina virtual Java host.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:uimaj:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.3.0\",\"matchCriteriaId\":\"38551E47-3B39-469A-A59C-FA02819BD0B8\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/03/4\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/03/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/03/4\", \"name\": \"[oss-security] 20221103 CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives\", \"tags\": [\"mailing-list\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T07:39:50.666Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-32287\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-02T20:24:12.849015Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-02T20:24:37.811Z\"}}], \"cna\": {\"title\": \"Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"Apache UIMA would like to thank Huangzhicong from CodeSafe Team of Legendsec at Qi\u0027anxin Group\"}], \"metrics\": [{\"other\": {\"type\": \"unknown\", \"content\": {\"other\": \"low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache UIMA\", \"versions\": [{\"status\": \"affected\", \"version\": \"Java SDK\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"3.3.0\"}]}], \"references\": [{\"url\": \"https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/03/4\", \"name\": \"[oss-security] 20221103 CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives\", \"tags\": [\"mailing-list\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2022-11-03T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-32287\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-02T20:24:43.887Z\", \"dateReserved\": \"2022-06-03T00:00:00.000Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2022-11-03T00:00:00.000Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-XGQR-5WQW-9FPV

Vulnerability from github – Published: 2022-11-03 19:00 – Updated: 2022-11-04 20:44

Summary

Apache UIMA Path Traversal vulnerability

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.uima:uimaj-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-32287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-03T21:11:17Z",
    "nvd_published_at": "2022-11-03T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.",
  "id": "GHSA-xgqr-5wqw-9fpv",
  "modified": "2022-11-04T20:44:39Z",
  "published": "2022-11-03T19:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32287"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache UIMA Path Traversal vulnerability"
}

WID-SEC-W-2024-3717

Vulnerability from csaf_certbund - Published: 2024-12-17 23:00 - Updated: 2024-12-17 23:00

Summary

IBM FileNet und Content Manager: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

IBM FileNet ist eine Enterprise Content Management Plattform für die Verwaltung von Inhalten, Prozessen und Compliance. IBM WEBi ist ein stand-alone Web Client zum Arbeiten mit Inhalten von mehreren Servern gleichzeitig.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM FileNet und IBM Content Manager ausnutzen, um beliebigen Programmcode auszuführen oder Dateien zu verändern.

Betroffene Betriebssysteme

- Linux - Sonstiges - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM FileNet ist eine Enterprise Content Management Plattform f\u00fcr die Verwaltung von Inhalten, Prozessen und Compliance.\r\nIBM WEBi ist ein stand-alone Web Client zum Arbeiten mit Inhalten von mehreren Servern gleichzeitig.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM FileNet und IBM Content Manager ausnutzen, um beliebigen Programmcode auszuf\u00fchren oder Dateien zu ver\u00e4ndern.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3717 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3717.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3717 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3717"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2024-12-17",
        "url": "https://www.ibm.com/support/pages/node/7179262"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2024-12-17",
        "url": "https://www.ibm.com/support/pages/node/7179263"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM FileNet und Content Manager: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-12-17T23:00:00.000+00:00",
      "generator": {
        "date": "2024-12-18T11:17:11.073+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2024-3717",
      "initial_release_date": "2024-12-17T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-12-17T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Text Search 5.6.0.0",
                "product": {
                  "name": "IBM Content Manager Text Search 5.6.0.0",
                  "product_id": "T039882",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:content_manager:text_search__5.6.0.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Text Search 5.5.8.0",
                "product": {
                  "name": "IBM Content Manager Text Search 5.5.8.0",
                  "product_id": "T039883",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:content_manager:text_search__5.5.8.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Text Search 5.5.12.0",
                "product": {
                  "name": "IBM Content Manager Text Search 5.5.12.0",
                  "product_id": "T039884",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:content_manager:text_search__5.5.12.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Content Manager"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "5.6.0.0",
                "product": {
                  "name": "IBM FileNet 5.6.0.0",
                  "product_id": "T039879",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_p8_application_engine:5.6.0.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "5.5.8.0",
                "product": {
                  "name": "IBM FileNet 5.5.8.0",
                  "product_id": "T039880",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_p8_application_engine:5.5.8.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "5.5.12.0",
                "product": {
                  "name": "IBM FileNet 5.5.12.0",
                  "product_id": "T039881",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_p8_application_engine:5.5.12.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FileNet"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-32287",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in IBM FileNet und IBM Content Manager. Diese Schwachstellen sind auf eine unsachgem\u00e4\u00dfe Eingabevalidierung und unsichere Deserialisierung in der PEAR-Verwaltung und dem Java SDK der Apache UIMA-Komponente zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren oder Dateien zu erstellen und zu ver\u00e4ndern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039881",
          "T039880",
          "T039879",
          "T039883",
          "T039882",
          "T039884"
        ]
      },
      "release_date": "2024-12-17T23:00:00.000+00:00",
      "title": "CVE-2022-32287"
    },
    {
      "cve": "CVE-2023-39913",
      "notes": [
        {
          "category": "description",
          "text": "Es bestehen mehrere Schwachstellen in IBM FileNet und IBM Content Manager. Diese Schwachstellen sind auf eine unsachgem\u00e4\u00dfe Eingabevalidierung und unsichere Deserialisierung in der PEAR-Verwaltung und dem Java SDK der Apache UIMA-Komponente zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuf\u00fchren oder Dateien zu erstellen und zu ver\u00e4ndern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039881",
          "T039880",
          "T039879",
          "T039883",
          "T039882",
          "T039884"
        ]
      },
      "release_date": "2024-12-17T23:00:00.000+00:00",
      "title": "CVE-2023-39913"
    }
  ]
}

CNVD-2022-76232

Vulnerability from cnvd - Published: 2022-11-11

Title

Apache UIMA路径遍历漏洞

Description

Apache UIMA是美国阿帕奇（Apache）基金会的一个组件化的软件架构。用于分析同终端用户相关联的大容量非结构化信息。 Apache UIMA 3.3.0及之前版本存在路径遍历漏洞，该漏洞源于相对路径遍历，攻击者可利用该漏洞使用精心设计的ZIP条目名称在指定目标目录之外创建文件。

Severity

高

Patch Name

Apache UIMA路径遍历漏洞的补丁

Patch Description

Apache UIMA是美国阿帕奇（Apache）基金会的一个组件化的软件架构。用于分析同终端用户相关联的大容量非结构化信息。 Apache UIMA 3.3.0及之前版本存在路径遍历漏洞，该漏洞源于相对路径遍历，攻击者可利用该漏洞使用精心设计的ZIP条目名称在指定目标目录之外创建文件。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-32287

Impacted products

Name
Apache unstructured information management architecture <=3.3.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-32287",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-32287"
    }
  },
  "description": "Apache UIMA\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u7ec4\u4ef6\u5316\u7684\u8f6f\u4ef6\u67b6\u6784\u3002\u7528\u4e8e\u5206\u6790\u540c\u7ec8\u7aef\u7528\u6237\u76f8\u5173\u8054\u7684\u5927\u5bb9\u91cf\u975e\u7ed3\u6784\u5316\u4fe1\u606f\u3002\n\nApache UIMA 3.3.0\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u76f8\u5bf9\u8def\u5f84\u904d\u5386\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528\u7cbe\u5fc3\u8bbe\u8ba1\u7684ZIP\u6761\u76ee\u540d\u79f0\u5728\u6307\u5b9a\u76ee\u6807\u76ee\u5f55\u4e4b\u5916\u521b\u5efa\u6587\u4ef6\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a \r\nhttps://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-76232",
  "openTime": "2022-11-11",
  "patchDescription": "Apache UIMA\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u7ec4\u4ef6\u5316\u7684\u8f6f\u4ef6\u67b6\u6784\u3002\u7528\u4e8e\u5206\u6790\u540c\u7ec8\u7aef\u7528\u6237\u76f8\u5173\u8054\u7684\u5927\u5bb9\u91cf\u975e\u7ed3\u6784\u5316\u4fe1\u606f\u3002\r\n\r\nApache UIMA 3.3.0\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u76f8\u5bf9\u8def\u5f84\u904d\u5386\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528\u7cbe\u5fc3\u8bbe\u8ba1\u7684ZIP\u6761\u76ee\u540d\u79f0\u5728\u6307\u5b9a\u76ee\u6807\u76ee\u5f55\u4e4b\u5916\u521b\u5efa\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache UIMA\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache unstructured information management architecture \u003c=3.3.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-32287",
  "serverity": "\u9ad8",
  "submitTime": "2022-11-05",
  "title": "Apache UIMA\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

GSD-2022-32287

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-32287

Aliases

CVE-2022-32287

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-32287",
    "description": "A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.",
    "id": "GSD-2022-32287"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-32287"
      ],
      "details": "A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.",
      "id": "GSD-2022-32287",
      "modified": "2023-12-13T01:19:12.957008Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2022-32287",
        "STATE": "PUBLIC",
        "TITLE": "Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache UIMA",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "Java SDK",
                          "version_value": "3.3.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Apache UIMA would like to thank Huangzhicong from CodeSafe Team of Legendsec at Qi\u0027anxin Group"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": [
        {
          "other": "low"
        }
      ],
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
          },
          {
            "name": "[oss-security] 20221103 CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,3.3.1)",
          "affected_versions": "All versions before 3.3.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2023-05-22",
          "description": "A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.",
          "fixed_versions": [
            "3.3.1"
          ],
          "identifier": "CVE-2022-32287",
          "identifiers": [
            "CVE-2022-32287",
            "GHSA-xgqr-5wqw-9fpv"
          ],
          "not_impacted": "All versions starting from 3.3.1",
          "package_slug": "maven/org.apache.uima/uimaj-core",
          "pubdate": "2022-11-03",
          "solution": "Upgrade to version 3.3.1 or above.",
          "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-32287",
            "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd",
            "http://www.openwall.com/lists/oss-security/2022/11/03/4",
            "https://github.com/advisories/GHSA-xgqr-5wqw-9fpv"
          ],
          "uuid": "2b13694c-4c5a-41dc-a505-d79778c0a249"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:uimaj:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.3.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-32287"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
            },
            {
              "name": "[oss-security] 20221103 CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-05-22T15:44Z",
      "publishedDate": "2022-11-03T12:15Z"
    }
  }
}

FKIE_CVE-2022-32287

Vulnerability from fkie_nvd - Published: 2022-11-03 12:15 - Updated: 2025-05-02 21:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

URL	Tags
security@apache.org	http://www.openwall.com/lists/oss-security/2022/11/03/4	Mailing List, Third Party Advisory
security@apache.org	https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/11/03/4	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	uimaj	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:uimaj:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "38551E47-3B39-469A-A59C-FA02819BD0B8",
              "versionEndIncluding": "3.3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A relative path traversal vulnerability in a FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. This issue affects Apache UIMA Apache UIMA version 3.3.0 and prior versions. Note that PEAR files should never be installed into an UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de path traversal en una clase FileUtil utilizada por el componente de administraci\u00f3n PEAR de Apache UIMA permite a un atacante crear archivos fuera del directorio de destino designado utilizando nombres de entrada ZIP cuidadosamente manipulados. Este problema afecta a Apache UIMA Apache UIMA versi\u00f3n 3.3.0 y versiones anteriores. Tenga en cuenta que los archivos PEAR nunca deben instalarse en una instalaci\u00f3n UIMA desde fuentes que no sean de confianza porque los archivos PEAR son complementos ejecutables que podr\u00e1n realizar cualquier acci\u00f3n con los mismos privilegios que la m\u00e1quina virtual Java host."
    }
  ],
  "id": "CVE-2022-32287",
  "lastModified": "2025-05-02T21:15:17.520",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2022-11-03T12:15:09.743",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/11/03/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/57vk0d79j94d0lk0vol8xn935yv1shdd"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security@apache.org",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-32287 (GCVE-0-2022-32287)

GHSA-XGQR-5WQW-9FPV

WID-SEC-W-2024-3717

CNVD-2022-76232

GSD-2022-32287

FKIE_CVE-2022-32287

Tags

Sightings

Nomenclature