VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-yhch-as6w-eqdn

Essentials
Severities (19)
References (8)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-yhch-as6w-eqdn
Aliases	CVE-2022-36007 GHSA-4mmh-5vw7-rgvj
Summary	Venice is a Clojure inspired sandboxed Lisp dialect with excellent Java interoperability. A partial path traversal issue exists within the functions `load-file` and `load-resource`. These functions can be limited to load files from a list of load paths. Assuming Venice has been configured with the load paths: `[ "/Users/foo/resources" ]` When passing relative paths to these two vulnerable functions everything is fine: `(load-resource "test.png")` => loads the file "/Users/foo/resources/test.png" `(load-resource "../resources-alt/test.png")` => rejected, outside the load path When passing absolute paths to these two vulnerable functions Venice may return files outside the configured load paths: `(load-resource "/Users/foo/resources/test.png")` => loads the file "/Users/foo/resources/test.png" `(load-resource "/Users/foo/resources-alt/test.png")` => loads the file "/Users/foo/resources-alt/test.png" !!! The latter call suffers from the _Partial Path Traversal_ vulnerability. This issue’s scope is limited to absolute paths whose name prefix matches a load path. E.g. for a load-path `"/Users/foo/resources"`, the actor can cause loading a resource also from `"/Users/foo/resources-alt"`, but not from `"/Users/foo/images"`. Versions of Venice before and including v1.10.17 are affected by this issue. Upgrade to Venice >= 1.10.18, if you are on a version < 1.10.18. There are currently no known workarounds.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2022-36007
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-4mmh-5vw7-rgvj
cvssv3.1	6.1	https://github.com/jlangch/venice
generic_textual	MODERATE	https://github.com/jlangch/venice
cvssv3.1	6.1	https://github.com/jlangch/venice/commit/215ae91bb964013b0a2d70718a692832d561ae0a
generic_textual	MODERATE	https://github.com/jlangch/venice/commit/215ae91bb964013b0a2d70718a692832d561ae0a
ssvc	Track	https://github.com/jlangch/venice/commit/215ae91bb964013b0a2d70718a692832d561ae0a
cvssv3.1	6.1	https://github.com/jlangch/venice/commit/c942c73136333bc493050910f171a48e6f575b23
generic_textual	MODERATE	https://github.com/jlangch/venice/commit/c942c73136333bc493050910f171a48e6f575b23
ssvc	Track	https://github.com/jlangch/venice/commit/c942c73136333bc493050910f171a48e6f575b23
cvssv3.1	6.1	https://github.com/jlangch/venice/releases/tag/v1.10.17
generic_textual	MODERATE	https://github.com/jlangch/venice/releases/tag/v1.10.17
ssvc	Track	https://github.com/jlangch/venice/releases/tag/v1.10.17
cvssv3.1	6.1	https://github.com/jlangch/venice/security/advisories/GHSA-4mmh-5vw7-rgvj
cvssv3.1_qr	MODERATE	https://github.com/jlangch/venice/security/advisories/GHSA-4mmh-5vw7-rgvj
generic_textual	MODERATE	https://github.com/jlangch/venice/security/advisories/GHSA-4mmh-5vw7-rgvj
ssvc	Track	https://github.com/jlangch/venice/security/advisories/GHSA-4mmh-5vw7-rgvj
cvssv3.1	6.1	https://nvd.nist.gov/vuln/detail/CVE-2022-36007
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2022-36007

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2022-36007
		https://github.com/jlangch/venice
215ae91bb964013b0a2d70718a692832d561ae0a		https://github.com/jlangch/venice/commit/215ae91bb964013b0a2d70718a692832d561ae0a
c942c73136333bc493050910f171a48e6f575b23		https://github.com/jlangch/venice/commit/c942c73136333bc493050910f171a48e6f575b23
CVE-2022-36007		https://nvd.nist.gov/vuln/detail/CVE-2022-36007
GHSA-4mmh-5vw7-rgvj		https://github.com/advisories/GHSA-4mmh-5vw7-rgvj
GHSA-4mmh-5vw7-rgvj		https://github.com/jlangch/venice/security/advisories/GHSA-4mmh-5vw7-rgvj
v1.10.17		https://github.com/jlangch/venice/releases/tag/v1.10.17

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N Found at https://github.com/jlangch/venice

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N Found at https://github.com/jlangch/venice/commit/215ae91bb964013b0a2d70718a692832d561ae0a

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:03Z/ Found at https://github.com/jlangch/venice/commit/215ae91bb964013b0a2d70718a692832d561ae0a

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N Found at https://github.com/jlangch/venice/commit/c942c73136333bc493050910f171a48e6f575b23

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:03Z/ Found at https://github.com/jlangch/venice/commit/c942c73136333bc493050910f171a48e6f575b23

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N Found at https://github.com/jlangch/venice/releases/tag/v1.10.17

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:03Z/ Found at https://github.com/jlangch/venice/releases/tag/v1.10.17

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N Found at https://github.com/jlangch/venice/security/advisories/GHSA-4mmh-5vw7-rgvj

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:03Z/ Found at https://github.com/jlangch/venice/security/advisories/GHSA-4mmh-5vw7-rgvj

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-36007

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.33477
EPSS Score	0.00137
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:38:02.238925+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2022/36xxx/CVE-2022-36007.json	38.6.0