CVE-2022-41951

Name of the Vulnerable Software and Affected Versions OroPlatform versions prior to 5.0.9

Description Path Traversal is possible in OroBundleGaufretteBundleFileManager::getTemporaryFileName. With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. The file will be deleted immediately after the script ends.

Recommendations For versions prior to 5.0.9, apply the provided patch to OroBundleGaufretteBundleFileManager.php or decorate OroBundleGaufretteBundleFileManager::getTemporaryFileName in your customization and clear the $suggestedFileName argument to prevent Path Traversal. Alternatively, update to version 5.0.9 or later, where this vulnerability has been fixed.