CVE-2022-39296 Melis Asset Manager delivers assets in public folders of module-specific assets. An attacker can read arbitrary files to obtain sensitive information.

An attacker can read arbitrary files on affected versions of `melisplatform/melis-asset-manager`, leading to the disclosure of sensitive information. This RCE can be used to read files that can be used to gain access to internal systems, such as access keys, passwords, etc. This attack does not require authentication. Users should upgrade the version of `melisplatform/melis-asset-manager` on their system as soon as possible.

References:

MelisPlatform CVE-2022-39296

An attacker can read arbitrary files on affected versions of `melisplatform/melis-asset-manager`, leading to the disclosure of sensitive information. This RCE can be used to read files that can be used to gain access to internal systems, such as access keys, passwords, etc. This attack does not require authentication. Users should upgrade the version of `melisplatform/melis-asset-manager` on their system as soon as possible.

References

Timeline

Published on: 10/11/2022 18:15:00 UTC
Last modified on: 10/14/2022 01:05:00 UTC

References

• https://github.com/melisplatform/melis-asset-manager/security/advisories/GHSA-7fj2-rrq6-rphq
• https://github.com/melisplatform/melis-asset-manager/commit/a0f75918c049aff78953a0bc91c585153595d1bd
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39296