CVE-2022-31025

一、漏洞信息
漏洞编号：[CVE-2022-31025](https://nvd.nist.gov/vuln/detail/CVE-2022-31025)
漏洞归属组件：acpi, https://gitee.com/euler-ttttt/acpi
漏洞归属的版本：1.7.15
CVSS分值：
&emsp;BaseScore： 7.7 High
&emsp;Vector： CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

漏洞简述：
Bleve is a1a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted by this issue. There is no patch for this issue because the http package is purely intended to be used for demonstration purposes. Bleve was never designed handle the RBACs, nor it was ever advertised to be used in that way. The collaborators of this project have decided to stay away from adding any authentication or authorization to bleve project at the moment. The bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user inputs as well as any authentication and authorization measures. It is recommended to not use bleve/http in production use cases.1

漏洞公开时间：2022-06-02 09:15:00
漏洞创建时间：2024-12-24 16:37:40
漏洞详情参考链接：
[https://nvd.nist.gov/vuln/detail/CVE-2022-31025](https://nvd.nist.gov/vuln/detail/CVE-2022-31025)
漏洞分析指导链接：
[https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md](https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md)
漏洞补丁信息：
<details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6 (n6.0) |  | ubuntu |
|  |  | https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a937b3c58babae893fb46b286a4792cd24a01d3d (n5.1.6) |  | ubuntu |
|  |  | https://ffmpeg.org/ |  | nvd |
|  |  | https://github.com/CookedMelon/ReportCVE/tree/main/FFmpeg/poc5 |  | nvd |
|  |  | https://github.com/CookedMelon/ReportCVE/tree/main/FFmpeg/poc6 |  | nvd |
|  |  | https://vuldb.com/?ctiid.273945 |  | nvd |
|  |  | https://vuldb.com/?id.273945 |  | nvd |

</details>

二、漏洞分析结构反馈
影响性分析说明：

漏洞评分(MindSpore评分):
&emsp;BaseScore： 
&emsp;Vector：

受影响版本排查(受影响/不受影响)：
1.master:
2.r1.10:
3.r1.9:
4.r2.0:
5.r2.1:
6.r2.2:
7.r2.3:

euler-ttttt/acpi

内容风险标识

评论 (1)

euler-ttttt/acpi .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2022-31025

评论 (1)

搜索帮助

euler-ttttt/acpi