#VU62689 Path traversal in networkd-dispatcher - CVE-2022-29799
Published: April 28, 2022
Vulnerability identifier: #VU62689
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-29799
CWE-ID: CWE-22
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
networkd-dispatcher
networkd-dispatcher
Software vendor:
clayton craft
clayton craft
Description
The vulnerability allows a local user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in OperationalState or the AdministrativeState. Since the states are used to build the script path, it is possible that a
state would contain directory traversal patterns (e.g. “../../”) to escape from the “/etc/networkd-dispatcher” base directory. A local user can abuse this vulnerability to bypass implemented security restrictions.
Remediation
Install update from vendor's website.