CVE-2022-25842 is a vulnerability in Alibabagroup One Java Agent
Published on May 1, 2022
Arbitrary File Write via Archive Extraction (Zip Slip)
All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victims machine.
Vulnerability Analysis
CVE-2022-25842 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a small impact on availability.
Products Associated with CVE-2022-25842
Want to know whenever a new CVE is published for Alibabagroup One Java Agent? stack.watch will email you.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.