CVE-2022-24774 is a medium-severity vulnerability affecting versions of the CycloneDX BOM Repository Server prior to 2.0.1. CycloneDX BOM Repository Server is a specialized server used to distribute CycloneDX Bill of Materials (BOMs), which are structured documents listing components and dependencies in software projects, often used in software supply chain security. The vulnerability arises from improper input validation (CWE-20) that leads to a path traversal issue (CWE-35). Specifically, the server fails to properly sanitize user-supplied input in HTTP POST and DELETE methods, allowing a malicious actor to manipulate file paths. Exploiting this flaw, an attacker could create arbitrary directories or delete arbitrary directories on the server filesystem. This can result in unauthorized modification of the server's directory structure, potentially leading to denial of service (DoS) conditions if critical directories are deleted or corrupted. Notably, the vulnerability is not exploitable under the default configuration, as the POST and DELETE HTTP methods are disabled by default. Exploitation requires these methods to be enabled either by modifying the appsettings.json configuration file or by setting environment variables (ALLOWEDMETHODS__POST and ALLOWEDMETHODS__DELETE) to true. There are no known exploits in the wild, and the issue was resolved in version 2.0.1 of the software. The vulnerability does not require authentication or user interaction beyond sending crafted HTTP requests, making it potentially accessible to remote unauthenticated attackers if the server is exposed with the vulnerable configuration. However, the scope is limited to servers that have enabled the vulnerable HTTP methods and are running affected versions. The impact primarily affects the availability and integrity of the server's file system, with confidentiality impact being minimal or none. Given the specialized nature of the product and its use in software supply chain management, exploitation could disrupt software component distribution and integrity verification processes.

For European organizations, the impact of this vulnerability depends on the adoption of CycloneDX BOM Repository Server within their software supply chain infrastructure. Organizations relying on CycloneDX for managing and distributing BOMs may face risks of service disruption or tampering with BOM repositories if running vulnerable versions with POST and DELETE methods enabled. This could lead to denial of service conditions, interrupting the ability to verify software components and dependencies, which is critical for compliance with European cybersecurity regulations such as the NIS Directive and the EU Cybersecurity Act. Disruption in BOM distribution could also affect software integrity assurance, increasing risk exposure to supply chain attacks. While no direct data confidentiality breach is expected, the integrity and availability of BOM data are crucial for secure software development and deployment pipelines. The threat is more pronounced for organizations with publicly accessible BOM repository servers or those with less restrictive network controls. Given the increasing emphasis on software supply chain security in Europe, especially in sectors like finance, critical infrastructure, and government, this vulnerability could have operational and compliance repercussions if exploited.

1. Upgrade to CycloneDX BOM Repository Server version 2.0.1 or later, which contains the fix for this vulnerability. 2. If immediate upgrade is not feasible, ensure that the POST and DELETE HTTP methods are disabled by default by verifying the appsettings.json configuration or setting environment variables ALLOWEDMETHODS__POST and ALLOWEDMETHODS__DELETE to false. 3. Restrict network access to the BOM repository server to trusted internal networks or VPNs to reduce exposure to unauthenticated remote attacks. 4. Implement web application firewalls (WAFs) with rules to detect and block path traversal attempts targeting the BOM repository server endpoints. 5. Monitor server logs for suspicious POST or DELETE requests containing path traversal patterns (e.g., ../ sequences). 6. Conduct regular integrity checks on the repository directories to detect unauthorized changes or deletions. 7. Incorporate BOM repository server security into supply chain risk management processes, ensuring timely patching and configuration audits. 8. Educate DevOps and security teams on the importance of secure configuration management for software supply chain tools.