Vulnerability Description
Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Versions prior to 2.5.4 contain a file upload ability. The affected code fails to validate fileMd5 and fileName parameters, resulting in an arbitrary file being read. This issue is patched in 2.5.4b. There are no known workarounds.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gin-Vue-Admin Project | Gin-Vue-Admin | < 2.5.4b |
Related Weaknesses (CWE)
References
- https://github.com/flipped-aurora/gin-vue-admin/blob/main/server/utils/breakpoinExploitThird Party Advisory
- https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-wrmq-4vExploitPatchThird Party Advisory
- https://github.com/flipped-aurora/gin-vue-admin/blob/main/server/utils/breakpoinExploitThird Party Advisory
- https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-wrmq-4vExploitPatchThird Party Advisory
FAQ
What is CVE-2022-39305?
CVE-2022-39305 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Versions prior to 2.5.4 contain a file upload ability. The affected code fail...
How severe is CVE-2022-39305?
CVE-2022-39305 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-39305?
Check the references section above for vendor advisories and patch information. Affected products include: Gin-Vue-Admin Project Gin-Vue-Admin.