Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05aHIzLWo5bWMteG1xMs3Xyg
Path Traversal in com.alibaba.oneagent:one-java-agent-plugin
All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05aHIzLWo5bWMteG1xMs3Xyg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 6.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:L
Identifiers: GHSA-9hr3-j9mc-xmq2, CVE-2022-25842
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25842
- https://github.com/alibaba/one-java-agent/pull/29
- https://github.com/alibaba/one-java-agent/pull/29/commits/359603b63fc6c59d8b57e061c171954bab3433bf
- https://github.com/alibaba/one-java-agent/blob/1f399a2299a8a409d15ea6111a7098629b8f1050/one-java-agent-plugin/src/main/java/com/alibaba/oneagent/utils/IOUtils.java
- https://snyk.io/vuln/SNYK-JAVA-COMALIBABAONEAGENT-2407874
- https://github.com/alibaba/one-java-agent/pull/29/commits/b5b437f9f4c8cbfe7bdbe266e975a4bd513c13fe
- https://github.com/advisories/GHSA-9hr3-j9mc-xmq2
Blast Radius: 4.8
Affected Packages
maven:com.alibaba.oneagent:one-java-agent-plugin
Dependent packages: 6Dependent repositories: 5
Downloads:
Affected Version Ranges: < 0.0.2
Fixed in: 0.0.2
All affected versions: 0.0.1
All unaffected versions: 0.0.2