CVE-2022-45921: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

November 28, 2022 (updated November 30, 2022)

FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request. To be specific, an attacker may be able to view or retrieve any file readable by the user running the FusionAuth process.

References

fusionauth.io/docs/v1/tech/release-notes
github.com/FusionAuth/fusionauth-issues/issues/1983
github.com/advisories/GHSA-rmcx-fg5w-x8j9
nvd.nist.gov/vuln/detail/CVE-2022-45921

Code Behaviors & Features

Detect and mitigate CVE-2022-45921 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →