8.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-38723

CVE-2022-38723: Gravitee API Management contains Path Traversal

This CVE addresses the partial fix for CVE-2019-25075

Gravitee API Management before 3.15.13 allows path traversal through HTML injection. A certain HTML injection combined with path traversal in the Email service in Gravitee API Management before 3.15.13 allows anonymous users to read arbitrary files via a /management/users/register request.

A patch was published in 2019 for this vulnerability but did not appear to have solved the issue. Version 3.15.13 did remove the flaw.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-38723

CVE-2022-38723:

8.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.gravitee.apim:gravitee-api-management	maven	< 3.15.13	3.15.13

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability combines HTML injection (CWE-79) with path traversal (CWE-22) via the /management/users/register endpoint. The UserRegistrationController handles user registration requests, and the EmailService processes email templates. Previous CVE-2019-25075's partial fix suggests template handling functions were inadequately patched. The high confidence comes from: 1) The endpoint's exposure to anonymous users 2) Email service being explicitly mentioned 3) The pattern of template path manipulation being a common vector for combined XSS/path traversal vulnerabilities 4) Version 3.15.13's resolution indicating these components required fundamental fixes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-38723: Gravitee API Management contains Path Traversal

CVE-2022-38723:

8.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-38723: Gravitee API Management contains Path Traversal

Technical Details

8.6

8.6

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI