CVE-2022-24774

Name of the Vulnerable Software and Affected Versions CycloneDX BOM Repository Server versions prior to 2.0.1

Description The CycloneDX BOM Repository Server has an improper input validation issue leading to path traversal. This could allow a malicious user to create arbitrary directories or cause a denial of service by deleting arbitrary directories. The issue is not exploitable if the post and delete methods are disabled, which is the default configuration. This can be achieved by modifying the appsettings.json file or by setting the environment variables ALLOWEDMETHODS POST and ALLOWEDMETHODS DELETE to false.

Recommendations For CycloneDX BOM Repository Server versions prior to 2.0.1, update to version 2.0.1 to resolve the issue. As a temporary workaround, consider modifying the appsettings.json file to disable the post and delete methods, or set the environment variables ALLOWEDMETHODS POST and ALLOWEDMETHODS DELETE to false to prevent exploitation.