Vulnerability Details : CVE-2022-4880
A vulnerability was found in stakira OpenUtau. It has been classified as critical. This affects the function VoicebankInstaller of the file OpenUtau.Core/Classic/VoicebankInstaller.cs of the component ZIP Archive Handler. The manipulation leads to path traversal. Upgrading to version 0.0.991 is able to address this issue. The identifier of the patch is 849a0a6912aac8b1c28cc32aa1132a3140caff4a. It is recommended to upgrade the affected component. The identifier VDB-217617 was assigned to this vulnerability.
Vulnerability category: Directory traversal
Products affected by CVE-2022-4880
- cpe:2.3:a:openutau:openutau:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-4880
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 63 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-4880
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.2
|
MEDIUM | AV:A/AC:L/Au:S/C:P/I:P/A:P |
5.1
|
6.4
|
VulDB | |
5.5
|
MEDIUM | CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.1
|
3.4
|
VulDB | |
5.5
|
MEDIUM | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
2.1
|
3.4
|
VulDB | 2024-02-29 |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-4880
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by:
- cna@vuldb.com (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2022-4880
-
https://vuldb.com/?ctiid.217617
Permissions Required
-
https://vuldb.com/?id.217617
Third Party Advisory
-
https://github.com/stakira/OpenUtau/commit/849a0a6912aac8b1c28cc32aa1132a3140caff4a
Merge pull request #544 from oxygen-dioxide/zipslip · stakira/OpenUtau@849a0a6 · GitHubPatch
-
https://github.com/stakira/OpenUtau/releases/tag/build%2F0.0.991
Release 0.0.991 · stakira/OpenUtau · GitHubRelease Notes
-
https://github.com/stakira/OpenUtau/pull/544
Prevent from zip slip attack / 防范zip上级文件夹攻击 by oxygen-dioxide · Pull Request #544 · stakira/OpenUtau · GitHubPatch
Jump to