CVE-2022-45921

Published: Nov 28, 2022Modified: Apr 28, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request. To be specific, an attacker may be able to view or retrieve any file readable by the user running the FusionAuth process.

Affected (1)

Products: Fusionauth: Fusionauth

Fusionauth

1 product

Fusionauth

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Fusionauth Fusionauth	From 1.37.0 to 1.41.3

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (4)

https://fusionauth.io/docs/v1/tech/release-notes

Source: cve@mitre.org

Release NotesVendor Advisory

https://github.com/FusionAuth/fusionauth-issues/issues/1983

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://fusionauth.io/docs/v1/tech/release-notes

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://github.com/FusionAuth/fusionauth-issues/issues/1983

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

Timeline

No history available yet.