CVE-2022-43451 - OpenCVE

OpenHarmony-v3.1.2 and prior versions had an Multiple path traversal vulnerability in appspawn and nwebspawn services. Local attackers can create arbitrary directories or escape application sandbox.If chained with other vulnerabilities it would allow an unprivileged process to gain full root privileges.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openharmony	Openharmony

Configuration 1 [-]

cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-11.md

History

No history.

MITRE

Status: PUBLISHED

Assigner: OpenHarmony

Published: 2022-11-03T19:15:11.485048Z

Updated: 2024-08-03T13:32:58.754Z

Reserved: 2022-10-31T00:00:00

Link: CVE-2022-43451

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-11-03T20:15:33.867

Modified: 2022-11-07T02:16:24.973

Link: CVE-2022-43451

Redhat

No data.

{"containers": {"cna": {"affected": [{"vendor": "OpenHarmony", "product": "OpenHarmony", "versions": [{"version": "3.1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">OpenHarmony-v3.1.2 and prior versions had an Multiple path traversal vulnerability in appspawn and nwebspawn services. Local attackers can create arbitrary directories or escape application sandbox.If chained with other vulnerabilities it would allow an unprivileged process to gain full root privileges.</span>\n\n"}], "value": "OpenHarmony-v3.1.2 and prior versions had an Multiple path traversal vulnerability in appspawn and nwebspawn services. Local attackers can create arbitrary directories or escape application sandbox.If chained with other vulnerabilities it would allow an unprivileged process to gain full root privileges."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "dateUpdated": "2024-07-15T00:27:54.327174Z"}, "references": [{"tags": ["patch", "vendor-advisory"], "url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-11.md", "name": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-11.md"}], "source": {"discovery": "UNKNOWN"}, "title": "Multiple path traversal in appspawn and nwebspawn services.", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:58.754Z"}, "title": "CVE Program Container", "references": [{"tags": ["patch", "vendor-advisory", "x_transferred"], "url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-11.md", "name": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-11.md"}]}]}, "cveMetadata": {"assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "cveId": "CVE-2022-43451", "serial": 1, "state": "PUBLISHED", "dateUpdated": "2024-08-03T13:32:58.754Z", "dateReserved": "2022-10-31T00:00:00", "datePublished": "2022-11-03T19:15:11.485048Z", "assignerShortName": "OpenHarmony"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openharmony:openharmony:*:*:*:*:*:*:*:*", "matchCriteriaId": "C026D184-A8AE-4DE6-A339-EA4469DDD4E7", "versionEndIncluding": "3.1.2", "versionStartIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenHarmony-v3.1.2 and prior versions had an Multiple path traversal vulnerability in appspawn and nwebspawn services. Local attackers can create arbitrary directories or escape application sandbox.If chained with other vulnerabilities it would allow an unprivileged process to gain full root privileges."}, {"lang": "es", "value": "OpenHarmony-v3.1.2 y versiones anteriores ten\u00edan una vulnerabilidad de Multiple path traversal en los servicios appspawn y nwebspawn. Los atacantes locales pueden crear directorios arbitrarios o escapar de la zona de pruebas de la aplicaci\u00f3n. Si se encadena con otras vulnerabilidades, permitir\u00eda que un proceso sin privilegios obtuviera privilegios completos del root."}], "id": "CVE-2022-43451", "lastModified": "2022-11-07T02:16:24.973", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "scy@openharmony.io", "type": "Secondary"}]}, "published": "2022-11-03T20:15:33.867", "references": [{"source": "scy@openharmony.io", "tags": ["Third Party Advisory"], "url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-11.md"}], "sourceIdentifier": "scy@openharmony.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "scy@openharmony.io", "type": "Secondary"}]}