CVE-2022-4878

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-4878

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-4878.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-4878

Published

2023-01-06T10:15:10.507Z

Modified

2025-11-14T14:22:43.237362Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

A vulnerability classified as critical has been found in JATOS. Affected is the function ZipUtil of the file modules/common/app/utils/common/ZipUtil.java of the component ZIP Handler. The manipulation leads to path traversal. Upgrading to version 3.7.5-alpha is able to address this issue. The name of the patch is 2b42519f309d8164e8811392770ce604cdabb5da. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217548.

References

Affected packages

Git / github.com/jatos/jatos

Affected ranges

Type: GIT
Repo: https://github.com/jatos/jatos
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2b42519f309d8164e8811392770ce604cdabb5da

Fixed

57fcb29023195894963340cec0bebe50250c7c96

Affected versions

g3.*

g3.5.4

j3.*

j3.3.5

n3.*

n3.3.5

v1.*

v1.0alpha

v1.1.1-alpha

v1.1.10-beta

v1.1.11-beta

v1.1.2-alpha

v1.1.3-beta

v1.1.4-beta

v1.1.5-beta

v1.1.6-beta

v1.1.7-beta

v1.1.8-beta

v1.1.9-beta

v1.1alpha

v2.*

v2.1.1-alpha

v2.1.10-beta

v2.1.11-beta

v2.1.12-beta

v2.1.2-alpha

v2.1.3-alpha

v2.1.4-alpha

v2.1.5-beta

v2.1.6-beta

v2.1.7-beta

v2.1.8-beta

v2.1.9-beta

v2.2.1-beta

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v3.*

v3.1.1-beta

v3.1.10

v3.1.11

v3.1.12

v3.1.2-beta

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.1.7

v3.1.8

v3.1.9

v3.2.1

v3.2.2

v3.2.3

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.4.1

v3.4.2

v3.5.1

v3.5.10

v3.5.11

v3.5.2

v3.5.3

v3.5.4

v3.5.5

v3.5.6

v3.5.6-alpha

v3.5.7

v3.5.8

v3.5.9

v3.5.9-beta

v3.6.1

v3.7.1

v3.7.1-alpha

v3.7.2

v3.7.3

v3.7.3-alpha

v3.7.4

v3.7.4-alpha

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "209295836171302063460935374611281311423",
                "291932630498246839242210343900688764535",
                "258576160610024071367055793387999422133",
                "77867450690614960111603320657336848865"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-4878-17e26a36",
        "source": "https://github.com/jatos/jatos/commit/2b42519f309d8164e8811392770ce604cdabb5da",
        "target": {
            "file": "modules/common/app/utils/common/ZipUtil.java"
        }
    },
    {
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 823.0,
            "function_hash": "249236534509693367760787523205059080136"
        },
        "id": "CVE-2022-4878-8fff3a9b",
        "source": "https://github.com/jatos/jatos/commit/2b42519f309d8164e8811392770ce604cdabb5da",
        "target": {
            "function": "unzip",
            "file": "modules/common/app/utils/common/ZipUtil.java"
        }
    }
]