Vulnerability Description
MelisAssetManager provides deliveries of Melis Platform's assets located in every module's public folder. Attackers can read arbitrary files on affected versions of `melisplatform/melis-asset-manager`, leading to the disclosure of sensitive information. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-asset-manager` >= 5.0.1. This issue was addressed by restricting access to files to intended directories only.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Melistechnology | Melis-Asset-Manager | < 5.0.1 |
Related Weaknesses (CWE)
References
- https://github.com/melisplatform/melis-asset-manager/commit/a0f75918c049aff78953PatchThird Party Advisory
- https://github.com/melisplatform/melis-asset-manager/security/advisories/GHSA-7fPatchThird Party Advisory
- https://github.com/melisplatform/melis-asset-manager/commit/a0f75918c049aff78953PatchThird Party Advisory
- https://github.com/melisplatform/melis-asset-manager/security/advisories/GHSA-7fPatchThird Party Advisory
FAQ
What is CVE-2022-39296?
CVE-2022-39296 is a vulnerability with a CVSS score of 8.6 (HIGH). MelisAssetManager provides deliveries of Melis Platform's assets located in every module's public folder. Attackers can read arbitrary files on affected versions of `melisplatform/melis-asset-manager`...
How severe is CVE-2022-39296?
CVE-2022-39296 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39296?
Check the references section above for vendor advisories and patch information. Affected products include: Melistechnology Melis-Asset-Manager.