CVE-2022-45866: Path Traversal
First published: Wed Nov 23 2022(Updated: )
qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| qpress | <11.3 | |
| Fedora | =35 | |
| Fedora | =36 | |
| Fedora | =37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/EvgeniyPatlan/qpress/commit/ddb312090ebd5794e81bc6fb1dfb4e79eda48761
- https://github.com/PierreLvx/qpress/compare/20170415...20220819
- https://github.com/PierreLvx/qpress/pull/6
- https://github.com/percona/percona-xtrabackup/pull/1366
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BQWF7635AJSDKEIGLB73XAH643POGTFY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4RXO3VYIFRTNIFHWIAZWND6ZXQ5OYOB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UUZ73XT2FXLHC7I4ODLOVB4O4QN7Q7JB/
- https://pkgs.org/download/qpress
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQWF7635AJSDKEIGLB73XAH643POGTFY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4RXO3VYIFRTNIFHWIAZWND6ZXQ5OYOB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUZ73XT2FXLHC7I4ODLOVB4O4QN7Q7JB/
Frequently Asked Questions
What is the severity of CVE-2022-45866?
CVE-2022-45866 has been assessed as critical due to the possibility of directory traversal vulnerabilities allowing unauthorized access to sensitive files.
How do I fix CVE-2022-45866?
To fix CVE-2022-45866, upgrade to version 11.3 or later of qpress.
What products are affected by CVE-2022-45866?
CVE-2022-45866 affects qpress prior to version 11.3 and is also used in products like Percona XtraBackup.
What type of vulnerability is CVE-2022-45866?
CVE-2022-45866 is a directory traversal vulnerability that allows attackers to access files outside of designated directories.
Which versions of Fedora are impacted by CVE-2022-45866?
CVE-2022-45866 impacts Fedora versions 35, 36, and 37.
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/first-publish-date
- agent/author
- agent/last-modified-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/qpress project
- canonical/qpress
- vendor/fedoraproject
- canonical/fedora
- version/fedora/35
- version/fedora/36
- version/fedora/37