VulnerableCode Package Details - pkg:maven/com.github.jlangch/venice@1.10.17

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-yhch-as6w-eqdn	Venice is a Clojure inspired sandboxed Lisp dialect with excellent Java interoperability. A partial path traversal issue exists within the functions `load-file` and `load-resource`. These functions can be limited to load files from a list of load paths. Assuming Venice has been configured with the load paths: `[ "/Users/foo/resources" ]` When passing relative paths to these two vulnerable functions everything is fine: `(load-resource "test.png")` => loads the file "/Users/foo/resources/test.png" `(load-resource "../resources-alt/test.png")` => rejected, outside the load path When passing absolute paths to these two vulnerable functions Venice may return files outside the configured load paths: `(load-resource "/Users/foo/resources/test.png")` => loads the file "/Users/foo/resources/test.png" `(load-resource "/Users/foo/resources-alt/test.png")` => loads the file "/Users/foo/resources-alt/test.png" !!! The latter call suffers from the _Partial Path Traversal_ vulnerability. This issue’s scope is limited to absolute paths whose name prefix matches a load path. E.g. for a load-path `"/Users/foo/resources"`, the actor can cause loading a resource also from `"/Users/foo/resources-alt"`, but not from `"/Users/foo/images"`. Versions of Venice before and including v1.10.17 are affected by this issue. Upgrade to Venice >= 1.10.18, if you are on a version < 1.10.18. There are currently no known workarounds.	CVE-2022-36007 GHSA-4mmh-5vw7-rgvj

Vulnerability

Summary

Aliases

VCID-yhch-as6w-eqdn

Venice is a Clojure inspired sandboxed Lisp dialect with excellent Java interoperability. A partial path traversal issue exists within the functions `load-file` and `load-resource`. These functions can be limited to load files from a list of load paths. Assuming Venice has been configured with the load paths: `[ "/Users/foo/resources" ]` When passing **relative** paths to these two vulnerable functions everything is fine: `(load-resource "test.png")` => loads the file "/Users/foo/resources/test.png" `(load-resource "../resources-alt/test.png")` => rejected, outside the load path When passing **absolute** paths to these two vulnerable functions Venice may return files outside the configured load paths: `(load-resource "/Users/foo/resources/test.png")` => loads the file "/Users/foo/resources/test.png" `(load-resource "/Users/foo/resources-alt/test.png")` => loads the file "/Users/foo/resources-alt/test.png" !!! The latter call suffers from the _Partial Path Traversal_ vulnerability. This issue’s scope is limited to absolute paths whose name prefix matches a load path. E.g. for a load-path `"/Users/foo/resources"`, the actor can cause loading a resource also from `"/Users/foo/resources-alt"`, but not from `"/Users/foo/images"`. Versions of Venice before and including v1.10.17 are affected by this issue. Upgrade to Venice >= 1.10.18, if you are on a version < 1.10.18. There are currently no known workarounds.

CVE-2022-36007
GHSA-4mmh-5vw7-rgvj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T08:16:28.173346+00:00	GithubOSV Importer	Fixing	VCID-yhch-as6w-eqdn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-4mmh-5vw7-rgvj/GHSA-4mmh-5vw7-rgvj.json	38.6.0
2026-06-11T20:32:03.314629+00:00	GHSA Importer	Fixing	VCID-yhch-as6w-eqdn	https://github.com/advisories/GHSA-4mmh-5vw7-rgvj	38.6.0

2026-06-12T08:16:28.173346+00:00

GithubOSV Importer

Fixing

VCID-yhch-as6w-eqdn

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-4mmh-5vw7-rgvj/GHSA-4mmh-5vw7-rgvj.json

38.6.0

2026-06-11T20:32:03.314629+00:00

GHSA Importer

Fixing

VCID-yhch-as6w-eqdn

https://github.com/advisories/GHSA-4mmh-5vw7-rgvj

38.6.0