CVE-2022-39296: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

October 11, 2022 (updated October 14, 2022)

MelisAssetManager provides deliveries of Melis Platform’s assets located in every module’s public folder. Attackers can read arbitrary files on affected versions of melisplatform/melis-asset-manager, leading to the disclosure of sensitive information. Conducting this attack does not require authentication. Users should immediately upgrade to melisplatform/melis-asset-manager >= 5.0.1. This issue was addressed by restricting access to files to intended directories only.

References

github.com/advisories/GHSA-7fj2-rrq6-rphq
github.com/melisplatform/melis-asset-manager/commit/a0f75918c049aff78953a0bc91c585153595d1bd
github.com/melisplatform/melis-asset-manager/security/advisories/GHSA-7fj2-rrq6-rphq
nvd.nist.gov/vuln/detail/CVE-2022-39296

Code Behaviors & Features

Detect and mitigate CVE-2022-39296 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →