CVE-2022-29597
Published: 02 June 2022
Summary
CVE-2022-29597 is a medium-severity Path Traversal (CWE-22) vulnerability in Solutions-Atlantic Regulatory Reporting System. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Solutions Atlantic Regulatory Reporting System (RRS) version 500 contains a local file inclusion vulnerability in the RRSWeb/maint/ShowDocument/ShowDocument.aspx page. The flaw, tracked as CVE-2022-29597 and assigned CWE-22, permits any authenticated user to supply arbitrary file paths in requests, causing the server to return the contents of internal system files. The issue carries a CVSS 3.1 score of 6.5 reflecting network attack vector, low complexity, and low privileges required for high-impact confidentiality exposure.
An attacker who has obtained valid credentials can exploit the page to read sensitive configuration files, application source code, or other data stored on the underlying file system. This access can reveal internal system details and facilitate further reconnaissance or lateral movement without needing elevated privileges or user interaction.
Public references include a proof-of-concept repository on GitHub and the vendor product page, but no official advisory or patch information is provided in the available sources. The associated EPSS score has remained flat at 0.0609 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33929
Vulnerability details
Solutions Atlantic Regulatory Reporting System (RRS) v500 is vulnerable to Local File Inclusion (LFI). Any authenticated user has the ability to reference internal system files within requests made to the RRSWeb/maint/ShowDocument/ShowDocument.aspx page. The server will successfully respond with the file…
more
contents of the internal system file requested. This ability could allow for adversaries to extract sensitive data and/or files from the underlying file system, gain knowledge about the internal workings of the system, or access source code of the application.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.