Miggo Logo

CVE-2022-23082: Path traversal in CureKit

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.5731%
Published
6/1/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.whitesource:curekitmaven>= 1.0.1, < 1.1.41.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly names isFileOutsideDir as the failing function. The commit diff shows this function was modified to replace a string-based startsWith check with a Path-based comparison, confirming the original implementation was insufficient. The added test case demonstrates a scenario where the old logic would fail (checking '/usr/foo/../foo-bar/bar' against '/usr/foo'). The string-based comparison in the original code couldn't distinguish between directory hierarchy and string prefixes, making it vulnerable to path traversal.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ur*Kit v*rsions v*.*.* t*rou** v*.*.* *r* vuln*r**l* to p*t* tr*v*rs*l *s t** *un*tion `is*il*Outsi***ir` **ils to s*nitiz* t** us*r input w*i** m*y l*** to p*t* tr*v*rs*l.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly n*m*s is*il*Outsi***ir *s t** **ilin* *un*tion. T** *ommit *i** s*ows t*is *un*tion w*s mo*i*i** to r*pl*** * strin*-**s** st*rtsWit* ****k wit* * P*t*-**s** *omp*rison, *on*irmin* t** ori*in*l impl*m*nt*tion