Vulnerability Details CVE-2022-46902
An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is a Path Traversal for an Unzip operation. The Vocera Report Console contains a websocket function that allows for the restoration of the database from a ZIP archive that expects a SQL import file. During the unzip operation, the code takes file paths from the ZIP archive and writes them to a Vocera temporary directory. Unfortunately, the code does not properly check if the file paths include directory traversal payloads that would escape the intended destination.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 24.8%
CVSS Severity
CVSS v3 Score 7.5
References
- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/
- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html
- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/
- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html
Products affected by CVE-2022-46902
-
cpe:2.3:a:vocera:report_server:*
-
cpe:2.3:a:vocera:voice_server:*