CVE-2022-38723

CVSS v3.1

8.6

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Gravitee API Management versions prior to 3.15.13

Description The issue allows path traversal through HTML injection, potentially enabling anonymous users to read arbitrary files. This is achieved by combining HTML injection with path traversal in the Email service. Specifically, a request to the /management/users/register endpoint can be exploited. A previous patch published in 2019 did not fully resolve the issue, which was later addressed in version 3.15.13.

Recommendations For versions prior to 3.15.13, update to version 3.15.13 to resolve the issue. As a temporary workaround, consider restricting access to the Email service and the /management/users/register endpoint to minimize the risk of exploitation.

Fix

XSS

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-22

Related Identifiers

CVE-2022-38723

GHSA-VP62-M958-QJ8C

Affected Products

Gravitee Api Management

CVE-2022-38723

Weakness Enumeration

Related Identifiers

Affected Products

References · 8