Vulnerability DatabaseWS-2022-0436
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
WS-2022-0436
November 03, 2024
Yapscan's report receiver server 0.18.0 up to 0.19.0 is vulnerable to path traversal and log injection. If you make use of the report receiver server (experimental), a client may be able to forge requests such that arbitrary files on the host can be overwritten (subject to permissions of the yapscan server), leading to loss of data. This is particularly problematic if you do not authenticate clients and/or run the server with elevated permissions. Version 0.19.1 contains a patch for this issue.
Related ResourcesĀ (7)
https://github.com/fkie-cad/yapscan/issues/35
https://github.com/advisories/GHSA-9h6h-9g78-86f7
https://github.com/fkie-cad/yapscan/releases/tag/v0.19.1
https://github.com/fkie-cad/yapscan/commit/a75a20b50be673b96b1d42187b97f8cfe60728df
https://github.com/fkie-cad/yapscan/security/advisories/GHSA-9h6h-9g78-86f7
https://github.com/fkie-cad/yapscan/commit/fef9a33ceb66f6b929839f7eaf393b629681bc5d
https://github.com/fkie-cad/yapscan
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22
External Control of File Name or Path
CWE-73
Improper Output Neutralization for Logs
CWE-117