Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-39367

Good to know:

icon

Date: October 28, 2022

QTIWorks is a software suite for standards-based assessment delivery. Prior to version 1.0-beta15, the QTIWorks Engine allows users to upload QTI content packages as ZIP files. The ZIP handling code does not sufficiently check the paths of files contained within ZIP files, so can insert files into other locations in the filesystem if they are writable by the process running the QTIWorks Engine. In extreme cases, this could allow anonymous users to change files in arbitrary locations in the filesystem. In normal QTIWorks Engine deployments, the impact is somewhat reduced because the default QTIWorks configuration does not enable the public demo functionality, so ZIP files can only be uploaded by users with "instructor" privileges. This vulnerability is fixed in version 1.0-beta15. There are no database configuration changes required when upgrading to this version. No known workarounds for this issue exist.

Language: Java

Severity Score

Related Resources (5)

https://github.com/davemckain/qtiworks/commit/1a46d6d842877ba2b824d5c269845827e2e0ccac
https://github.com/davemckain/qtiworks/security/advisories/GHSA-xrjg-59rc-4j42
https://github.com/davemckain/qtiworks/pull/81
https://nvd.nist.gov/vuln/detail/CVE-2022-39367
https://www.mend.io/vulnerability-database/CVE-2022-39367

Severity Score

Weakness Type (CWE)

Path Traversal

CWE-22

Top Fix

icon

Upgrade Version

Upgrade to version 1.0-beta15

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us