CVE-2022-45921 — FusionAuth vulnerable to directory traversal attack

Description

FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request. To be specific, an attacker may be able to view or retrieve any file readable by the user running the FusionAuth process.

How to fix CVE-2022-45921

To remediate CVE-2022-45921, upgrade the affected package to a fixed version below.

—upgrade to 1.41.3 or later

Is CVE-2022-45921 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.37.0, < 1.41.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-45921
PATCHgithub.com/FusionAuth/fusionauth-java-client
WEBfusionauth.io/docs/v1/tech/release-notes
WEBgithub.com/FusionAuth/fusionauth-issues/issues/1983