Skip to content

Improper input validation vulnerability leading to arbitrary creation of directories and a denial of service by deleting arbitrary directories.

High
coderpatros published GHSA-6c74-9588-wq9j Mar 22, 2022

Package

bom-repo-server (application)

Affected versions

<=2.0.0

Patched versions

2.0.1

Description

Impact

CycloneDX BOM Repository Server before version 2.0.1 has an improper input validation vulnerability leading to path traversal. A malicious user may potentially exploit this vulnerability to create arbitrary directories or a denial of service by deleting arbitrary directories.

Patches

The vulnerability is resolved in version 2.0.1.

Workarounds

The vulnerability is not exploitable in the default configuration with the post and delete methods disabled.

This can be configured by modifying the appsettings.json file, or alternatively, setting the environment variables ALLOWEDMETHODS__POST and ALLOWEDMETHODS__DELETE to false.

Acknowledgement

The CycloneDX project would like to thank Florian Grunow from ERNW Enno Rey Netzwerke GmbH for responsibly disclosing this vulnerability.

For more information

If you have any questions or comments about this advisory:

Severity

High
7.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

CVE ID

CVE-2022-24774