CVE-2022-45866 - OpenCVE

qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Qpress Project	Qpress

Configuration 1 [-]

cpe:2.3:a:qpress_project:qpress:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

No data.

References

Link	Providers
https://github.com/EvgeniyPatlan/qpress/commit/ddb312090ebd5794e81bc6fb1dfb4e79eda48761
https://github.com/PierreLvx/qpress/compare/20170415...20220819
https://github.com/PierreLvx/qpress/pull/6
https://github.com/percona/percona-xtrabackup/pull/1366
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQWF7635AJSDKEIGLB73XAH643POGTFY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4RXO3VYIFRTNIFHWIAZWND6ZXQ5OYOB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUZ73XT2FXLHC7I4ODLOVB4O4QN7Q7JB/
https://pkgs.org/download/qpress

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-11-23T00:00:00

Updated: 2024-08-03T14:24:03.207Z

Reserved: 2022-11-23T00:00:00

Link: CVE-2022-45866

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-23T20:15:10.380

Modified: 2023-11-07T03:54:55.003

Link: CVE-2022-45866

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-45866", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T14:24:03.207Z", "dateReserved": "2022-11-23T00:00:00", "datePublished": "2022-11-23T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-12-04T00:00:00"}, "descriptions": [{"lang": "en", "value": "qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://pkgs.org/download/qpress"}, {"url": "https://github.com/PierreLvx/qpress/pull/6"}, {"url": "https://github.com/EvgeniyPatlan/qpress/commit/ddb312090ebd5794e81bc6fb1dfb4e79eda48761"}, {"url": "https://github.com/PierreLvx/qpress/compare/20170415...20220819"}, {"url": "https://github.com/percona/percona-xtrabackup/pull/1366"}, {"name": "FEDORA-2022-dacf699829", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQWF7635AJSDKEIGLB73XAH643POGTFY/"}, {"name": "FEDORA-2022-e19ca639ef", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4RXO3VYIFRTNIFHWIAZWND6ZXQ5OYOB/"}, {"name": "FEDORA-2022-0ff8149aad", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUZ73XT2FXLHC7I4ODLOVB4O4QN7Q7JB/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:24:03.207Z"}, "title": "CVE Program Container", "references": [{"url": "https://pkgs.org/download/qpress", "tags": ["x_transferred"]}, {"url": "https://github.com/PierreLvx/qpress/pull/6", "tags": ["x_transferred"]}, {"url": "https://github.com/EvgeniyPatlan/qpress/commit/ddb312090ebd5794e81bc6fb1dfb4e79eda48761", "tags": ["x_transferred"]}, {"url": "https://github.com/PierreLvx/qpress/compare/20170415...20220819", "tags": ["x_transferred"]}, {"url": "https://github.com/percona/percona-xtrabackup/pull/1366", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-dacf699829", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQWF7635AJSDKEIGLB73XAH643POGTFY/"}, {"name": "FEDORA-2022-e19ca639ef", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4RXO3VYIFRTNIFHWIAZWND6ZXQ5OYOB/"}, {"name": "FEDORA-2022-0ff8149aad", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUZ73XT2FXLHC7I4ODLOVB4O4QN7Q7JB/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qpress_project:qpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "841A0F47-DE8B-4FC7-BF54-3F5962B84F6F", "versionEndExcluding": "11.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file."}, {"lang": "es", "value": "qpress anterior a PierreLvx/qpress 20220819 y anterior a la versi\u00f3n 11.3, como se usa en Percona XtraBackup y otros productos, permite el Directory Traversal a trav\u00e9s de ../ en un archivo .qp."}], "id": "CVE-2022-45866", "lastModified": "2023-11-07T03:54:55.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-23T20:15:10.380", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/EvgeniyPatlan/qpress/commit/ddb312090ebd5794e81bc6fb1dfb4e79eda48761"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/PierreLvx/qpress/compare/20170415...20220819"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/PierreLvx/qpress/pull/6"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/percona/percona-xtrabackup/pull/1366"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQWF7635AJSDKEIGLB73XAH643POGTFY/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4RXO3VYIFRTNIFHWIAZWND6ZXQ5OYOB/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUZ73XT2FXLHC7I4ODLOVB4O4QN7Q7JB/"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://pkgs.org/download/qpress"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}