CVE-2022-47526

Fox-IT DataDiode (aka Fox DataDiode) 3.4.3 suffers from a path traversal vulnerability with resultant arbitrary writing of files. A remote attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the downstream node user. Exploitation of this issue does not require user interaction.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.fox-it.com/nl-en/fox-crypto/fox-datadiode/	Product
https://www.fox-it.com/nl-en/software-vulnerability-report/	Product
https://www.fox-it.com/nl-en/fox-crypto/fox-datadiode/	Product
https://www.fox-it.com/nl-en/software-vulnerability-report/	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:fox-it:fox_datadiode_firmware:3.4.3:*:*:*:*:*:*:*

cpe:2.3:h:fox-it:fox_datadiode:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-05-31 00:15

Updated : 2025-01-14 17:15

NVD link : CVE-2022-47526

Mitre link : CVE-2022-47526

CVE.ORG link : CVE-2022-47526

JSON object : View

Products Affected

fox-it

fox_datadiode
fox_datadiode_firmware

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2022-47526", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-05-31T00:15:09.647", "references": [{"url": "https://www.fox-it.com/nl-en/fox-crypto/fox-datadiode/", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://www.fox-it.com/nl-en/software-vulnerability-report/", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://www.fox-it.com/nl-en/fox-crypto/fox-datadiode/", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.fox-it.com/nl-en/software-vulnerability-report/", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Fox-IT DataDiode (aka Fox DataDiode) 3.4.3 suffers from a path traversal vulnerability with resultant arbitrary writing of files. A remote attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the downstream node user. Exploitation of this issue does not require user interaction."}], "lastModified": "2025-01-14T17:15:09.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fox-it:fox_datadiode_firmware:3.4.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40CFFED0-0DB1-465B-ACFB-200DF1142503"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:fox-it:fox_datadiode:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CCE8FA93-9DAE-42B4-ABB9-BB66CD95F921"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}