VDB-217617 · CVE-2022-4880 · ID 544

stakira OpenUtau avant 0.0.991 ZIP Archive VoicebankInstaller.cs VoicebankInstaller directory traversal

Une vulnérabilité classée critique a été trouvée dans stakira OpenUtau. Affecté par cette vulnérabilité est la fonction VoicebankInstaller du fichier OpenUtau.Core/Classic/VoicebankInstaller.cs du composant ZIP Archive Handler. A cause de la manipulation avec une valeur d'entrée inconnue mène à une vulnérabilité de classe directory traversal. La notice d'information est disponible en téléchargement sur github.com. Cette vulnérabilité est identifiée comme CVE-2022-4880. L'attaque ne peut être seulement réalisée au sein du réseau local. Des details techniques sont connus. Il est déclaré comme non défini. Mettre à jour à la version 0.0.991 élimine cette vulnérabilité. La mise à jour est disponible au téléchargment sur github.com. Le correctif est disponible au téléchargement sur github.com. La meilleure solution suggérée pour atténuer le problème est de mettre à jour à la dernière version. Une solution envisageable a été publiée avant et non après après la publication de la vulnérabilité.

Domaine	07/01/2023 14:00	29/01/2023 21:48	29/01/2023 22:01
url	https://github.com/stakira/OpenUtau/pull/544	https://github.com/stakira/OpenUtau/pull/544	https://github.com/stakira/OpenUtau/pull/544
name	Upgrade	Upgrade	Upgrade
upgrade_version	0.0.991	0.0.991	0.0.991
upgrade_url	https://github.com/stakira/OpenUtau/releases/tag/build%2F0.0.991	https://github.com/stakira/OpenUtau/releases/tag/build%2F0.0.991	https://github.com/stakira/OpenUtau/releases/tag/build%2F0.0.991
patch_name	849a0a6912aac8b1c28cc32aa1132a3140caff4a	849a0a6912aac8b1c28cc32aa1132a3140caff4a	849a0a6912aac8b1c28cc32aa1132a3140caff4a
patch_url	https://github.com/stakira/OpenUtau/commit/849a0a6912aac8b1c28cc32aa1132a3140caff4a	https://github.com/stakira/OpenUtau/commit/849a0a6912aac8b1c28cc32aa1132a3140caff4a	https://github.com/stakira/OpenUtau/commit/849a0a6912aac8b1c28cc32aa1132a3140caff4a
advisoryquote	Prevent from zip slip attack / 防范zip上级文件夹攻击	Prevent from zip slip attack / 防范zip上级文件夹攻击	Prevent from zip slip attack / 防范zip上级文件夹攻击
cve	CVE-2022-4880	CVE-2022-4880	CVE-2022-4880
responsible	VulDB	VulDB	VulDB
date	1673046000 (07/01/2023)	1673046000 (07/01/2023)	1673046000 (07/01/2023)
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_ci	P	P	P
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	P	P	P
cvss2_vuldb_rc	C	C	C
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_av	A	A	A
cvss2_vuldb_au	S	S	S
cvss2_vuldb_e	ND	ND	ND
cvss3_vuldb_av	A	A	A
cvss3_vuldb_pr	L	L	L
cvss3_vuldb_ui	N	N	N
cvss3_vuldb_e	X	X	X
cvss2_vuldb_basescore	5.2	5.2	5.2
cvss2_vuldb_tempscore	4.5	4.5	4.5
cvss3_vuldb_basescore	5.5	5.5	5.5
cvss3_vuldb_tempscore	5.3	5.3	5.3
cvss3_meta_basescore	5.5	5.5	6.9
cvss3_meta_tempscore	5.3	5.3	6.9
price_0day	$0-$5k	$0-$5k	$0-$5k
vendor	stakira	stakira	stakira
name	OpenUtau	OpenUtau	OpenUtau
component	ZIP Archive Handler	ZIP Archive Handler	ZIP Archive Handler
file	OpenUtau.Core/Classic/VoicebankInstaller.cs	OpenUtau.Core/Classic/VoicebankInstaller.cs	OpenUtau.Core/Classic/VoicebankInstaller.cs
function	VoicebankInstaller	VoicebankInstaller	VoicebankInstaller
cwe	22 (directory traversal)	22 (directory traversal)	22 (directory traversal)
risk	2	2	2
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	L	L	L
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	L	L	L
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	C	C	C
identifier	544	544	544
cve_assigned		1673046000 (07/01/2023)	1673046000 (07/01/2023)
cve_nvd_summary		A vulnerability was found in stakira OpenUtau. It has been classified as critical. This affects the function VoicebankInstaller of the file OpenUtau.Core/Classic/VoicebankInstaller.cs of the component ZIP Archive Handler. The manipulation leads to path traversal. Upgrading to version 0.0.991 is able to address this issue. The name of the patch is 849a0a6912aac8b1c28cc32aa1132a3140caff4a. It is recommended to upgrade the affected component. The identifier VDB-217617 was assigned to this vulnerability.	A vulnerability was found in stakira OpenUtau. It has been classified as critical. This affects the function VoicebankInstaller of the file OpenUtau.Core/Classic/VoicebankInstaller.cs of the component ZIP Archive Handler. The manipulation leads to path traversal. Upgrading to version 0.0.991 is able to address this issue. The name of the patch is 849a0a6912aac8b1c28cc32aa1132a3140caff4a. It is recommended to upgrade the affected component. The identifier VDB-217617 was assigned to this vulnerability.
cvss3_nvd_pr			N
cvss3_nvd_ui			N
cvss3_nvd_s			U
cvss3_nvd_c			H
cvss3_nvd_i			H
cvss3_nvd_a			H
cvss2_nvd_av			A
cvss2_nvd_ac			L
cvss2_nvd_au			S
cvss2_nvd_ci			P
cvss2_nvd_ii			P
cvss2_nvd_ai			P
cvss3_cna_av			A
cvss3_cna_ac			L
cvss3_cna_pr			L
cvss3_cna_ui			N
cvss3_cna_s			U
cvss3_cna_c			L
cvss3_cna_i			L
cvss3_cna_a			L
cve_cna			VulDB
cvss2_nvd_basescore			5.2
cvss3_nvd_basescore			9.8
cvss3_cna_basescore			5.5
cvss3_nvd_av			N
cvss3_nvd_ac			L

◂ Précédent Aperçu Suivant ▸

Interested in the pricing of exploits?

See the underground prices here!