Path Traversal Vulnerability in Eclipse GlassFish by Eclipse Foundation
CVE-2022-2712

6.5MEDIUM

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Glassfish
Vendor: CVE Published:; 27 January 2023

What is CVE-2022-2712?

A path traversal vulnerability exists in Eclipse GlassFish versions 5.1.0 through 6.2.5 that allows remote unauthenticated attackers to exploit the system by manipulating relative paths. The vulnerability arises from the server's failure to adequately filter request paths starting with './', which can enable attackers to access sensitive files. This access may include critical configuration data and source code of deployed applications, thus raising significant security risks for users and applications relying on the affected versions.

Affected Version(s)

Eclipse GlassFish 5.1.0

Eclipse GlassFish <= 6.2.5

References

https://bugs.eclipse.org/580502

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 27, 2023
Vulnerability Reserved
Aug 8, 2022

The Eclipse Foundation

What is CVE-2022-2712?

Affected Version(s)

References

CVSS V3.1

Timeline