Vulnerability Description
All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alibabagroup | One-Java-Agent | All versions |
Related Weaknesses (CWE)
References
- https://github.com/alibaba/one-java-agent/blob/1f399a2299a8a409d15ea6111a7098629ExploitThird Party Advisory
- https://github.com/alibaba/one-java-agent/pull/29PatchThird Party Advisory
- https://github.com/alibaba/one-java-agent/pull/29/commits/359603b63fc6c59d8b57e0Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-COMALIBABAONEAGENT-2407874Third Party Advisory
- https://github.com/alibaba/one-java-agent/blob/1f399a2299a8a409d15ea6111a7098629ExploitThird Party Advisory
- https://github.com/alibaba/one-java-agent/pull/29PatchThird Party Advisory
- https://github.com/alibaba/one-java-agent/pull/29/commits/359603b63fc6c59d8b57e0Third Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-COMALIBABAONEAGENT-2407874Third Party Advisory
FAQ
What is CVE-2022-25842?
CVE-2022-25842 is a vulnerability with a CVSS score of 6.9 (MEDIUM). All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory trave...
How severe is CVE-2022-25842?
CVE-2022-25842 has been rated MEDIUM with a CVSS base score of 6.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25842?
Check the references section above for vendor advisories and patch information. Affected products include: Alibabagroup One-Java-Agent.