CVE-2022-45866

Public Exploit

Description

qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file.

References

Link	Tags
https://pkgs.org/download/qpress	product
https://github.com/PierreLvx/qpress/pull/6	third party advisory exploit
https://github.com/EvgeniyPatlan/qpress/commit/ddb312090ebd5794e81bc6fb1dfb4e79eda48761	third party advisory patch
https://github.com/PierreLvx/qpress/compare/20170415...20220819	third party advisory patch
https://github.com/percona/percona-xtrabackup/pull/1366	third party advisory exploit
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQWF7635AJSDKEIGLB73XAH643POGTFY/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4RXO3VYIFRTNIFHWIAZWND6ZXQ5OYOB/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUZ73XT2FXLHC7I4ODLOVB4O4QN7Q7JB/	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-45866?: CVE-2022-45866 has been scored as a medium severity vulnerability.
How to fix CVE-2022-45866?: To fix CVE-2022-45866, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-45866 being actively exploited in the wild?: It is possible that CVE-2022-45866 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions