CVE-2022-26049

Arbitrary File Write via Archive Extraction (Zip Slip)

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

This affects the package com.diffplug.gradle:goomph before 3.37.2. It allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve remote code execution on a target system by exploiting this vulnerability. **Note:** This could have allowed a malicious zip file to extract itself into an arbitrary directory. The only file that Goomph extracts is the p2 bootstrapper and eclipse metadata files hosted at eclipse.org, which are not malicious, so the only way this vulnerability could have affected you is if you had set a custom bootstrap zip, and that zip was malicious.

Esto afecta al paquete com.diffplug.gradle:goomph versiones anteriores a 3.37.2. Permite que un archivo zip malicioso salga del directorio de destino esperado, escribiendo el contenido en ubicaciones arbitrarias del sistema de archivos. La sobreescritura de determinados archivos/directorios podría permitir a un atacante lograr una ejecución de código remota en un sistema de destino al explotar esta vulnerabilidad. **Nota:** Esto podría haber permitido que un archivo zip malicioso sea extraído en un directorio arbitrario. El único archivo que Goomph extrae es el p2 bootstrapper y los archivos de metadatos de eclipse alojados en eclipse.org, que no son maliciosos, por lo que la única forma en que esta vulnerabilidad podría haberle afectado es si hubiera establecido un zip de arranque personalizado, y ese zip fuera malicioso

*Credits: Jonathan Leitschuh

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-24 CVE Reserved
2022-09-11 CVE Published
2024-09-16 CVE Updated
2024-09-16 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://security.snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGGRADLE-2981040	2024-09-16

URL	Date	SRC
https://github.com/diffplug/goomph/commit/25f04f67ba62d9a14104bee13a0a0f2517afb8c8	2022-09-16
https://github.com/diffplug/goomph/pull/198	2022-09-16

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Diffplug Search vendor "Diffplug"		Goomph Search vendor "Diffplug" for product "Goomph"				< 3.37.2 Search vendor "Diffplug" for product "Goomph" and version " < 3.37.2"		-		Affected