Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/com.github.jlangch/venice@1.8.5 |
|---|
| Type | maven |
|---|
| Namespace | com.github.jlangch |
|---|
| Name | venice |
|---|
| Version | 1.8.5 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 1.10.17 |
|---|
| Latest_non_vulnerable_version | 1.10.17 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-yh5c-yzed-nyds |
| vulnerability_id |
VCID-yh5c-yzed-nyds |
| summary |
Venice vulnerable to Partial Path Traversal issue within the functions `load-file` and `load-resource`
### Impact
A partial path traversal issue exists within the functions `load-file` and `load-resource`. These functions can be limited to load files from a list of load paths.
Assuming Venice has been configured with the load paths: `[ "/Users/foo/resources" ]`
When passing **relative** paths to these two vulnerable functions everything is fine:
`(load-resource "test.png")` => loads the file "/Users/foo/resources/test.png"
`(load-resource "../resources-alt/test.png")` => rejected, outside the load path
When passing **absolute** paths to these two vulnerable functions Venice may return files outside the configured load paths:
`(load-resource "/Users/foo/resources/test.png")` => loads the file "/Users/foo/resources/test.png"
`(load-resource "/Users/foo/resources-alt/test.png")` => loads the file "/Users/foo/resources-alt/test.png" !!!
The latter call suffers from the _Partial Path Traversal_ vulnerability.
This issue’s scope is limited to absolute paths whose name prefix matches a load path. E.g. for a load-path `"/Users/foo/resources"`, the actor can cause loading a resource also from `"/Users/foo/resources-alt"`, but not from `"/Users/foo/images"`.
Versions of Venice before and including v1.10.16 are affected by this issue.
### Patches
Upgrade to Venice >= 1.10.17, if you are on a version < 1.10.17
### Workarounds
If you cannot upgrade the library, you can control the functions that can be used in Venice with a sandbox. If it is appropriate, the functions `load-file` and `load-resource` can be blacklisted in the sandbox.
### References
* [PR](https://github.com/jlangch/venice/pull/4/commits/c942c73136333bc493050910f171a48e6f575b23)
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [GitHub Venice](https://github.com/jlangch/venice)
* Email us at [juerg.ch](mailto:juerg.ch@ggaweb.ch)
### Credits
I want to publicly recognize the contribution of [Jonathan Leitschuh](https://github.com/JLLeitschuh) for reporting this issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-36007 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00137 |
| scoring_system |
epss |
| scoring_elements |
0.3344 |
| published_at |
2026-06-09T12:55:00Z |
|
| 1 |
| value |
0.00137 |
| scoring_system |
epss |
| scoring_elements |
0.3337 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00137 |
| scoring_system |
epss |
| scoring_elements |
0.33472 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00137 |
| scoring_system |
epss |
| scoring_elements |
0.33487 |
| published_at |
2026-06-06T12:55:00Z |
|
| 4 |
| value |
0.00137 |
| scoring_system |
epss |
| scoring_elements |
0.33453 |
| published_at |
2026-06-07T12:55:00Z |
|
| 5 |
| value |
0.00137 |
| scoring_system |
epss |
| scoring_elements |
0.33419 |
| published_at |
2026-06-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-36007 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-36007, GHSA-4mmh-5vw7-rgvj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yh5c-yzed-nyds |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | 3.1 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/com.github.jlangch/venice@1.8.5 |
|---|