Headline
CVE-2022-24774: Build software better, together
CycloneDX BOM Repository Server is a bill of materials (BOM) repository server for distributing CycloneDX BOMs. CycloneDX BOM Repository Server before version 2.0.1 has an improper input validation vulnerability leading to path traversal. A malicious user may potentially exploit this vulnerability to create arbitrary directories or a denial of service by deleting arbitrary directories. The vulnerability is resolved in version 2.0.1. The vulnerability is not exploitable with the default configuration with the post and delete methods disabled. This can be configured by modifying the appsettings.json file, or alternatively, setting the environment variables ALLOWEDMETHODS__POST and ALLOWEDMETHODS__DELETE to false.
Package
bom-repo-server ()
Affected versions
<=2.0.0
Impact
CycloneDX BOM Repository Server before version 2.0.1 has an improper input validation vulnerability leading to path traversal. A malicious user may potentially exploit this vulnerability to create arbitrary directories or a denial of service by deleting arbitrary directories.
Patches
The vulnerability is resolved in version 2.0.1.
Workarounds
The vulnerability is not exploitable in the default configuration with the post and delete methods disabled.
This can be configured by modifying the appsettings.json file, or alternatively, setting the environment variables ALLOWEDMETHODS__POST and ALLOWEDMETHODS__DELETE to false.
Acknowledgement
The CycloneDX project would like to thank Florian Grunow from ERNW Enno Rey Netzwerke GmbH for responsibly disclosing this vulnerability.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the BOM Repository Server issue tracker
- Email [email protected]
CVE ID
CVE-2022-24774
GHSA ID
GHSA-6c74-9588-wq9j
CWEs
CVSS Score
7.1 High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L