8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-26049

GHSA ID

GHSA-p2f7-9cv7-jjf6

EPSS Score

0.64131%

CWE

CWE-22

Published

9/12/2022

Updated

1/28/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-26049

CVE-2022-26049: Goomph before 3.37.2 allows malicious zip file to write contents to arbitrary locations

This affects the package com.diffplug.gradle:goomph before 3.37.2. It allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve remote code execution on a target system by exploiting this vulnerability.

Note: This could have allowed a malicious zip file to extract itself into an arbitrary directory. The only file that Goomph extracts is the p2 bootstrapper and eclipse metadata files hosted at eclipse.org, which are not malicious, so the only way this vulnerability could have affected you is if you had set a custom bootstrap zip, and that zip was malicious.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-26049

GHSA ID

GHSA-p2f7-9cv7-jjf6

EPSS Score

0.64131%

CWE

CWE-22

Published

9/12/2022

Updated

1/28/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.diffplug.gradle:goomph	maven	< 3.37.2	3.37.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The GitHub commit 25f04f6 shows a security fix in ZipMisc.java where a path validation check was added during zip extraction. The vulnerability description explicitly mentions zip file extraction as the attack vector, and the CWE-22 classification confirms path traversal. The added code in the unzip function validates normalized paths to prevent directory escape, indicating this was the vulnerable function prior to the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** *om.*i**plu*.*r**l*:*oomp* ***or* *.**.*. It *llows * m*li*ious zip *il* to pot*nti*lly *r**k out o* t** *xp**t** **stin*tion *ir**tory, writin* *ont*nts into *r*itr*ry lo**tions on t** *il* syst*m. Ov*rwritin* **rt*in *il*s/

Reasoning

T** *it*u* *ommit ******* s*ows * s**urity *ix in ZipMis*.j*v* w**r* * p*t* v*li**tion ****k w*s ***** *urin* zip *xtr**tion. T** vuln*r**ility **s*ription *xpli*itly m*ntions zip *il* *xtr**tion *s t** *tt**k v**tor, *n* t** *W*-** *l*ssi*i**tion *o

8.8

Basic Information

Concerned about an active attack path?

CVE-2022-26049: Goomph before 3.37.2 allows malicious zip file to write contents to arbitrary locations

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI