Cyber Resilience

CVE-2022-0679

CriticalPublic PoC

Published: 28 March 2022

Published
28 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8448 99.3th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0679 is a critical-severity Path Traversal (CWE-22) vulnerability in Narnoo Distributor Project Narnoo Distributor. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Narnoo Distributor WordPress plugin through version 2.5.1 is affected by a path traversal vulnerability (CWE-22) in the narnoo_distributor_lib_request AJAX action. The plugin does not validate or sanitize the lib_path parameter before passing it to a require() call, allowing the contents of arbitrary files to be returned in the JSON response.

Both unauthenticated and authenticated attackers can supply a crafted lib_path value to disclose sensitive files on the server. Depending on the underlying PHP configuration and system setup, the flaw can also be leveraged for remote code execution, consistent with its CVSS 3.1 score of 9.8.

The EPSS score for this CVE stands at 0.8448 with no material increase after disclosure.

EU & UK References

Vulnerability details

The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the…

more

disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

narnoo distributor project
narnoo distributor
≤ 2.5.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References