Skip to content

Instantly share code, notes, and snippets.

@garatc
Created December 27, 2022 14:25
Show Gist options
  • Save garatc/d86cdb1fa2e35a7ee719d9a0de0b5ca3 to your computer and use it in GitHub Desktop.
Save garatc/d86cdb1fa2e35a7ee719d9a0de0b5ca3 to your computer and use it in GitHub Desktop.
CVE-2022-38723
A certain HTML injection combined with path traversal in the Email service in Gravitee API Management before 3.15.13 allows anonymous users to read arbitrary files via a /management/users/register request.
A patch was published in 2019 for this vulnerability but did not appear to have solved the issue. This year's fix is however efficient in removing the flaw.
Vulnerable product: Gravitee API Management
Affected version: < 3.15.13
Fixed version: 3.15.13
References:
https://github.com/gravitee-io/gravitee-api-management
2019 vulnerability: https://github.com/advisories/GHSA-xc4w-28g8-vqm5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment