Improper Input Validation leading to Path Traversal in CycloneDX BOM Repository Server
CVE-2022-24774

7.1HIGH

Key Information:

Vendor: Cyclonedx
Status: Cyclonedx-bom-repo-server
Vendor: CVE Published:; 22 March 2022

What is CVE-2022-24774?

CycloneDX BOM Repository Server is a bill of materials (BOM) repository server for distributing CycloneDX BOMs. CycloneDX BOM Repository Server before version 2.0.1 has an improper input validation vulnerability leading to path traversal. A malicious user may potentially exploit this vulnerability to create arbitrary directories or a denial of service by deleting arbitrary directories. The vulnerability is resolved in version 2.0.1. The vulnerability is not exploitable with the default configuration with the post and delete methods disabled. This can be configured by modifying the appsettings.json file, or alternatively, setting the environment variables ALLOWEDMETHODS__POST and ALLOWEDMETHODS__DELETE to false.

Affected Version(s)

cyclonedx-bom-repo-server < 2.0.1

References

https://github.com/CycloneDX/cyclonedx-bom-repo-server/se...

x_refsource_CONFIRM

https://github.com/CycloneDX/cyclonedx-bom-repo-server/co...

x_refsource_MISC

https://github.com/CycloneDX/cyclonedx-bom-repo-server/re...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 22, 2022
Vulnerability Reserved
Feb 10, 2022

Cyclonedx

What is CVE-2022-24774?

Affected Version(s)

References

CVSS V3.1

Timeline