CVE-2022-0072 is a directory traversal vulnerability (CWE-22) affecting LiteSpeed Technologies' OpenLiteSpeed Web Server and LiteSpeed Web Server dashboards. The flaw exists in versions 1.5.11 through 1.5.12, 1.6.5 through 1.6.20.1, and 1.7.0 before 1.7.16.1. This vulnerability allows an unauthenticated remote attacker to manipulate pathname inputs to access files and directories outside the intended restricted directory. The vulnerability arises from improper limitation of pathname traversal sequences, such as '../', enabling attackers to read arbitrary files on the server. The CVSS v3.1 base score is 5.8 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), scope changed (S:C), confidentiality impact low (C:L), and no impact on integrity or availability (I:N/A:N). Exploitation does not require authentication or user interaction, increasing the risk of automated attacks. Although no known exploits are reported in the wild, the vulnerability could be leveraged to access sensitive configuration files, credentials, or other data that could facilitate further compromise. The scope change indicates that the vulnerability affects resources beyond the initially vulnerable component, potentially impacting the entire server environment. The lack of patches linked in the provided data suggests that users should verify the availability of vendor updates and apply them promptly to remediate the issue.

For European organizations using OpenLiteSpeed Web Server, this vulnerability poses a risk of unauthorized disclosure of sensitive information stored on web servers. Attackers exploiting this flaw could access configuration files, source code, or other sensitive data, potentially leading to further attacks such as credential theft, privilege escalation, or lateral movement within networks. Given that OpenLiteSpeed is used in various hosting environments, including small to medium enterprises and web hosting providers, the impact could extend to customer data confidentiality and service trustworthiness. The medium severity score reflects a moderate risk; however, the lack of required privileges and user interaction increases the likelihood of exploitation. Organizations handling personal data under GDPR must consider the potential for data breaches and the associated regulatory and reputational consequences. Additionally, compromised web servers can be leveraged as footholds for broader attacks against internal networks or supply chains, amplifying the threat to European entities.

European organizations should immediately identify all instances of OpenLiteSpeed Web Server in their environments and verify the version in use. Applying the latest vendor patches or updates that address CVE-2022-0072 is the primary mitigation step. If patches are not yet available, organizations should implement strict access controls to limit exposure of the web server dashboards and restrict access to trusted IP addresses only. Web application firewalls (WAFs) should be configured to detect and block directory traversal patterns in HTTP requests. Regularly auditing server logs for suspicious path traversal attempts can help in early detection of exploitation attempts. Additionally, organizations should ensure that sensitive files and directories are not accessible by the web server user and that file system permissions follow the principle of least privilege. Network segmentation can limit the impact of a compromised web server. Finally, organizations should monitor threat intelligence sources for any emerging exploit code or attack campaigns related to this vulnerability to adjust defenses accordingly.