Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-25842— Arbitrary File Write via Archive Extraction (Zip Slip)

CVSS 6.9 · Medium EPSS 2.71% · P86
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-25842

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Arbitrary File Write via Archive Extraction (Zip Slip)
Source: NVD (National Vulnerability Database)
Vulnerability Description
All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
one-java-agent 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
one-java-agent是提供插件化支持,统一管理众多的Java Agent。 com.alibaba.oneagent:one-java-agent-plugin 所有版本存在安全漏洞,攻击者利用该漏洞可以覆盖可执行文件并远程调用它们,或者等待系统或用户调用它们,从而在受害者的机器上实现远程命令执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
-com.alibaba.oneagent:one-java-agent-plugin 0 ~ unspecified -

II. Public POCs for CVE-2022-25842

#POC DescriptionSource LinkShenlong Link
1Nonehttps://github.com/shoucheng3/alibaba__one-java-agent_CVE-2022-25842_0-0-1POC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2022-25842

登录查看更多情报信息。

Same Patch Batch · n/a · 2022-05-01 · 24 CVEs total

CVE-2022-244379.8 CRITICALCommand Injection
CVE-2022-257679.8 CRITICALRemote Code Execution
CVE-2022-239238.6 HIGHSandbox Bypass
CVE-2022-253017.7 HIGHPrototype Pollution
CVE-2022-256477.7 HIGHDeserialization of Untrusted Data
CVE-2022-211447.5 HIGHDenial of Service (DoS)
CVE-2022-212277.5 HIGHDenial of Service (DoS)
CVE-2022-211677.5 HIGHArbitrary Code Execution
CVE-2022-221437.5 HIGHPrototype Pollution
CVE-2022-258507.5 HIGHServer-side Request Forgery (SSRF)
CVE-2022-211897.3 HIGHPrototype Pollution
CVE-2022-256456.5 MEDIUMPrototype Pollution
CVE-2022-260686.5 MEDIUMPath Traversal
CVE-2022-212305.5 MEDIUMInformation Exposure
CVE-2022-211495.4 MEDIUMCross-site Scripting (XSS)
CVE-2022-253495.4 MEDIUMCross-site Scripting (XSS)
CVE-2022-258445.3 MEDIUMRegular Expression Denial of Service (ReDoS)
CVE-2022-29849Progress OpenEdge权限许可和访问控制问题漏洞
CVE-2022-28481CSV-Safe gem 安全漏洞
CVE-2021-31674Cyclos 4 PRO 跨站脚本漏洞

Showing top 20 of 24 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same vendor: n/a

V. Comments for CVE-2022-25842

No comments yet

Leave a comment