Lucene search

Veracode Vulnerability DatabaseVERACODE:47725

HistoryJun 25, 2024 - 5:05 a.m.

Path Traversal

2024-06-2505:05:51

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

codechecker

path traversal

unsanitized input

zip files

internal database

web interface

vulnerability

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

High

JSON

CodeChecker is vulnerable to a Path traversal. The vulnerability is due to improper sanitization of ZIP files at the CodeCheckerService@massStoreRun endpoint. An attackers can exploit this by inserting arbitrary files into internal database, which can then be displayed through the Web interface.

CPENameOperatorVersion
codecheckerle6.23.0rc2
codecheckerle6.23.0rc2

CPE	Name	Operator	Version
	codechecker	le	6.23.0rc2
	codechecker	le	6.23.0rc2

References

github.com/advisories/GHSA-h26w-r4m5-8rrf

github.com/Ericsson/codechecker/commit/46bada41e32f3ba0f6011d5c556b579f6dddf07a

github.com/Ericsson/codechecker/security/advisories/GHSA-h26w-r4m5-8rrf

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

High

JSON

Related for VERACODE:47725