CVE-2022-25842
Path Traversal in com.alibaba.oneagent:one-java-agent-plugin
6.9
MEDIUM
CVSS 3.1
EPSS 2.7%
描述
All versions of package `com.alibaba.oneagent:one-java-agent-plugin` are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. `../../evil.exe`). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
如何修補 CVE-2022-25842
要修補 CVE-2022-25842,請將受影響套件升級到下列已修補版本。
- —升級至 0.0.2 或更新版本
CVE-2022-25842 正在被利用嗎?
低 — EPSS 為 2.7%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 0.0.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:L |