CVE-2022-32287

Name of the Vulnerable Software and Affected Versions Apache UIMA versions prior to 3.3.0

Description A relative path traversal vulnerability in the FileUtil class used by the PEAR management component of Apache UIMA allows an attacker to create files outside the designated target directory using carefully crafted ZIP entry names. PEAR files should never be installed into a UIMA installation from untrusted sources because PEAR archives are executable plugins that will be able to perform any actions with the same privileges as the host Java Virtual Machine.

Recommendations For versions prior to 3.3.0, consider restricting the installation of PEAR files from untrusted sources to minimize the risk of exploitation. As a temporary workaround, carefully validate the ZIP entry names in PEAR archives before installation.