Total
5025 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29100 | 1 Esri | 1 Arcgis Earth | 2022-03-30 | 6.8 MEDIUM | 7.8 HIGH |
| A path traversal vulnerability exists in Esri ArcGIS Earth versions 1.11.0 and below which allows arbitrary file creation on an affected system through crafted input. An attacker could exploit this vulnerability to gain arbitrary code execution under security context of the user running ArcGIS Earth by inducing the user to upload a crafted file to an affected system. | |||||
| CVE-2021-29101 | 1 Arcgis | 1 Geoevent Server | 2022-03-30 | 5.0 MEDIUM | 7.5 HIGH |
| ArcGIS GeoEvent Server versions 10.8.1 and below has a read-only directory path traversal vulnerability that could allow an unauthenticated, remote attacker to perform directory traversal attacks and read arbitrary files on the system. | |||||
| CVE-2020-29453 | 1 Atlassian | 3 Data Center, Jira Data Center, Jira Server | 2022-03-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. | |||||
| CVE-2021-26086 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2022-03-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1. | |||||
| CVE-2021-27471 | 1 Rockwellautomation | 1 Connected Components Workbench | 2022-03-29 | 6.8 MEDIUM | 8.6 HIGH |
| The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by Rockwell Automation Connected Components Workbench v12.00.00 and prior, can traverse the file system. If successfully exploited, an attacker could overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful. | |||||
| CVE-2021-27473 | 1 Rockwellautomation | 1 Connected Components Workbench | 2022-03-29 | 6.9 MEDIUM | 8.2 HIGH |
| Rockwell Automation Connected Components Workbench v12.00.00 and prior does not sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that, when opened by Connected Components Workbench, will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful. | |||||
| CVE-2021-40525 | 1 Apache | 1 James | 2022-03-29 | 6.4 MEDIUM | 9.1 CRITICAL |
| Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted. | |||||
| CVE-2022-25267 | 1 Passwork | 1 Passwork | 2022-03-29 | 6.5 MEDIUM | 8.8 HIGH |
| Passwork On-Premise Edition before 4.6.13 allows migration/uploadExportFile Directory Traversal (to upload files). | |||||
| CVE-2022-25266 | 1 Passwork | 1 Passwork | 2022-03-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| Passwork On-Premise Edition before 4.6.13 allows migration/downloadExportFile Directory Traversal (to read files). | |||||
| CVE-2022-25249 | 1 Ptc | 2 Axeda Agent, Axeda Desktop Server | 2022-03-28 | 5.0 MEDIUM | 7.5 HIGH |
| When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) (disregarding Axeda agent v6.9.2 and v6.9.3) is vulnerable to directory traversal, which could allow a remote unauthenticated attacker to obtain file system read access via web server.. | |||||
| CVE-2021-34363 | 2 Fedoraproject, The Fuck Project | 2 Fedora, The Fuck | 2022-03-25 | 6.4 MEDIUM | 9.1 CRITICAL |
| The thefuck (aka The Fuck) package before 3.31 for Python allows Path Traversal that leads to arbitrary file deletion via the "undo archive operation" feature. | |||||
| CVE-2022-21221 | 2 Fasthttp Project, Microsoft | 2 Fasthttp, Windows | 2022-03-23 | 5.0 MEDIUM | 7.5 HIGH |
| The package github.com/valyala/fasthttp before 1.34.0 are vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path. **Note:** This security issue impacts Windows users only. | |||||
| CVE-2022-1000 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7. | |||||
| CVE-2022-23107 | 1 Jenkins | 1 Warnings Next Generation | 2022-03-23 | 5.5 MEDIUM | 8.1 HIGH |
| Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID, allowing attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system. | |||||
| CVE-2022-27203 | 1 Jenkins | 1 Extended Choice Parameter | 2022-03-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller. | |||||
| CVE-2022-27208 | 1 Jenkins | 1 Kubernetes Continuous Deploy | 2022-03-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Kubernetes Continuous Deploy Plugin 2.3.1 and earlier allows users with Credentials/Create permission to read arbitrary files on the Jenkins controller. | |||||
| CVE-2021-29134 | 1 Gitea | 1 Gitea | 2022-03-22 | 5.0 MEDIUM | 5.3 MEDIUM |
| The avatar middleware in Gitea before 1.13.6 allows Directory Traversal via a crafted URL. | |||||
| CVE-2022-22771 | 1 Tibco | 2 Jasperreports Library, Jasperreports Server | 2022-03-22 | 4.0 MEDIUM | 8.8 HIGH |
| The Server component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: version 7.9.0, TIBCO JasperReports Library for ActiveMatrix BPM: version 7.9.0, TIBCO JasperReports Server: versions 7.9.0 and 7.9.1, TIBCO JasperReports Server for AWS Marketplace: versions 7.9.0 and 7.9.1, TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.9.0 and 7.9.1, and TIBCO JasperReports Server for Microsoft Azure: version 7.9.1. | |||||
| CVE-2021-45010 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2022-03-21 | 6.5 MEDIUM | 8.8 HIGH |
| A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution. | |||||
| CVE-2022-25216 | 1 Dvdfab | 2 12 Player, Playerfab | 2022-03-21 | 7.8 HIGH | 7.5 HIGH |
| An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access, by means of an HTTP GET request to http://<IP_ADDRESS>:32080/download/<URL_ENCODED_PATH>. | |||||