Moderate severityNVD Advisory· Published May 1, 2022· Updated Sep 17, 2024
Arbitrary File Write via Archive Extraction (Zip Slip)
CVE-2022-25842
Description
All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.alibaba.oneagent:one-java-agent-pluginMaven | < 0.0.2 | 0.0.2 |
Affected products
2- alibaba.oneagent/one-java-agent-plugindescription
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-9hr3-j9mc-xmq2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25842ghsaADVISORY
- github.com/alibaba/one-java-agent/blob/1f399a2299a8a409d15ea6111a7098629b8f1050/one-java-agent-plugin/src/main/java/com/alibaba/oneagent/utils/IOUtils.javaghsax_refsource_MISCWEB
- github.com/alibaba/one-java-agent/pull/29ghsax_refsource_MISCWEB
- github.com/alibaba/one-java-agent/pull/29/commits/359603b63fc6c59d8b57e061c171954bab3433bfghsax_refsource_MISCWEB
- github.com/alibaba/one-java-agent/pull/29/commits/b5b437f9f4c8cbfe7bdbe266e975a4bd513c13feghsaWEB
- snyk.io/vuln/SNYK-JAVA-COMALIBABAONEAGENT-2407874ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.