Base Score

HIGH7.5

CVE-2022-2712

In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code.

VectorNETWORK

Published Byemo@eclipse.org

Published DateJan 27, 2023, 10:15

Affected Versions(1)

org.glassfish.main.web:web(Maven)

Introduced5.1.0

Fixed7.0.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.glassfish.main.web:web(Maven)	5.1.0	7.0.0	N/A

Weakness Type (CWE):CWE-22

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

References

https://bugs.eclipse.org/580502

Base Score

HIGH7.5

Weakness Type (CWE):CWE-22

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE