CVE-2022-35410 — Path Traversal in Mat2

CWE-22 — Path Traversal5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 42.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

0xacab Mat2 Debian Mat2 Debian Linux

Timeline

PublishedJul 8

Latest updateJul 12

Description

mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory traversal during the ZIP archive cleaning process. This primarily affects mat2 web instances, in which clients could obtain sensitive information via a crafted archive.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVD0xacab/mat2< 0.13.0

▶PyPI0xacab/mat2< 0.13.0

▶debiandebian/mat2< mat2 0.13.0-1 (bookworm)

▶Debian0xacab/mat2< 0.12.1-2+deb11u1+3

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: 0xacab.org ↗Patch: dustri.org ↗Patch: 0xacab.org ↗

🔴Vulnerability Details

OSV

mat2 before 0.13.0 allows directory traversal during the ZIP archive cleaning process.↗2022-07-12

▶

GHSA

mat2 before 0.13.0 allows directory traversal during the ZIP archive cleaning process.↗2022-07-12

▶

OSV

CVE-2022-35410: mat2 (aka metadata anonymisation toolkit) before 0↗2022-07-08

▶

📋Vendor Advisories

Debian

CVE-2022-35410: mat2 - mat2 (aka metadata anonymisation toolkit) before 0.13.0 allows ../ directory tra...↗2022

▶