CVE-2022-25842 MEDIUM

CVE-2022-25842: Arbitrary File Write via Archive Extraction (Zip Slip)

Vendor N/A
Product com.alibaba.oneagent:one-java-agent-plugin
Published May 1, 2022
Last update September 17, 2024

CVSS base score

6.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:L/E:P

What the vulnerability does

01Description

All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.

Key dates

02Disclosure timeline

May 1, 2022 CVE published
September 17, 2024 Record updated