The ACME-challenge endpoint in Appwrite 0.5.0 through 0.12.x before 0.12.2 allows remote attackers to read arbitrary local files via ../ directory traversal. In order to be vulnerable, APP_STORAGE_CERTIFICATES/.well-known/acme-challenge must exist on disk. (This pathname is automatically created if the user chooses to install Let's Encrypt certificates via Appwrite.)
Metrics
Affected Vendors & Products
References
History
Wed, 21 Aug 2024 19:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-22 | |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2024-02-22T00:00:00
Updated: 2024-08-21T17:46:27.441Z
Reserved: 2022-02-20T00:00:00
Link: CVE-2022-25377
Vulnrichment
Updated: 2024-08-03T04:36:06.926Z
NVD
Status : Awaiting Analysis
Published: 2024-02-22T22:15:47.170
Modified: 2024-08-21T18:35:00.673
Link: CVE-2022-25377
Redhat
No data.