Headline
CVE-2022-24774: Improper input validation vulnerability leading to arbitrary creation of directories and a denial of service by deleting arbitrary directories.
CycloneDX BOM Repository Server is a bill of materials (BOM) repository server for distributing CycloneDX BOMs. CycloneDX BOM Repository Server before version 2.0.1 has an improper input validation vulnerability leading to path traversal. A malicious user may potentially exploit this vulnerability to create arbitrary directories or a denial of service by deleting arbitrary directories. The vulnerability is resolved in version 2.0.1. The vulnerability is not exploitable with the default configuration with the post and delete methods disabled. This can be configured by modifying the appsettings.json file, or alternatively, setting the environment variables ALLOWEDMETHODS__POST and ALLOWEDMETHODS__DELETE to false.
Impact
CycloneDX BOM Repository Server before version 2.0.1 has an improper input validation vulnerability leading to path traversal. A malicious user may potentially exploit this vulnerability to create arbitrary directories or a denial of service by deleting arbitrary directories.
Patches
The vulnerability is resolved in version 2.0.1.
Workarounds
The vulnerability is not exploitable in the default configuration with the post and delete methods disabled.
This can be configured by modifying the appsettings.json file, or alternatively, setting the environment variables ALLOWEDMETHODS__POST and ALLOWEDMETHODS__DELETE to false.
Acknowledgement
The CycloneDX project would like to thank Florian Grunow from ERNW Enno Rey Netzwerke GmbH for responsibly disclosing this vulnerability.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the BOM Repository Server issue tracker
- Email [email protected]