CVE-2020-35460 — Path Traversal in Mpxj

CWE-22 — Path Traversal5 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.5%

top 35.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mpxj Oracle Primavera Unifier Joniles Mpxj

Timeline

PublishedDec 14

Latest updateOct 28

Description

common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDmpxj/mpxj< 8.3.5

▶CVEListV5joniles/mpxj>= 8.3.5, < 13.5.1

▶NVDoracle/primavera_unifier17.7 — 17.12+5

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

MPXJ has a Potential Path Traversal Vulnerability↗2024-10-28

▶

GHSA

MPXJ path Traversal vulnerability↗2020-12-18

▶

OSV

MPXJ path Traversal vulnerability↗2020-12-18

▶

CVEList

CVE-2020-35460: common/InputStreamHelper↗2020-12-14

▶