PT-2022-26207 · Sonicjs · Sonicjs
Published
2022-09-30
·
Updated
2022-10-04
·
CVE-2022-42002
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SonicJS versions 0.6.0 and earlier
Description
The issue allows for file overwrite due to the lack of authentication required for certain file update mutations. Specifically, the
fileCreate and fileUpdate mutations can be called without authentication, leading to arbitrary file write and delete capabilities on a SonicJS application.Recommendations
For SonicJS versions 0.6.0 and earlier, as a temporary workaround, consider disabling the
fileCreate and fileUpdate mutations until a patch is available. Restrict access to these mutations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sonicjs