CVE-2022-39296 is a path traversal vulnerability (CWE-22) found in versions of the melisplatform's melis-asset-manager up to and including 5.0.0. The melis-asset-manager component is responsible for delivering assets located in the public folders of various modules within the Melis Platform. Due to improper limitation of pathname inputs, an attacker can craft requests that traverse directories outside the intended asset directories, allowing them to read arbitrary files on the affected system. This can lead to the disclosure of sensitive information such as configuration files, credentials, or other private data stored on the server. Notably, exploitation of this vulnerability does not require any form of authentication or user interaction, making it accessible to unauthenticated remote attackers. The issue was addressed in version 5.0.1 by implementing strict restrictions on file access to ensure that only files within intended directories can be retrieved. There are no known exploits in the wild at the time of this analysis, but the vulnerability's nature and ease of exploitation make it a significant concern for affected deployments. Since melis-asset-manager is a component used within the Melis Platform, organizations using this platform with vulnerable versions are at risk of sensitive data exposure through this flaw.

For European organizations using the Melis Platform with vulnerable versions of melis-asset-manager, this vulnerability poses a risk of unauthorized disclosure of sensitive information. The ability for unauthenticated attackers to read arbitrary files can lead to leakage of critical data such as internal configuration files, credentials, or intellectual property, potentially facilitating further attacks like privilege escalation or lateral movement. This can undermine confidentiality and potentially impact integrity if sensitive configuration files are exposed and manipulated indirectly. The availability impact is limited as the vulnerability primarily allows information disclosure rather than denial of service. However, the exposure of sensitive data can lead to reputational damage, regulatory non-compliance (especially under GDPR), and financial loss. Given the lack of authentication requirements, the attack surface is broad, increasing the likelihood of exploitation if vulnerable instances are internet-facing. European organizations in sectors with high data sensitivity, such as finance, healthcare, and government, could face heightened risks. Furthermore, the vulnerability could be leveraged in targeted attacks against strategic assets or critical infrastructure that rely on the Melis Platform.

Organizations should immediately upgrade melis-asset-manager to version 5.0.1 or later, where the vulnerability has been patched by enforcing strict directory access controls. Until upgrades can be applied, organizations should implement web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests targeting the melis-asset-manager endpoints. Additionally, restricting access to the asset manager service to trusted internal networks or VPNs can reduce exposure. Conducting thorough audits of server file permissions and ensuring that sensitive files are not stored in publicly accessible directories can limit the impact of potential exploitation. Monitoring logs for suspicious access patterns indicative of path traversal attempts is also recommended. Finally, organizations should review their incident response plans to include scenarios involving unauthorized data disclosure via path traversal vulnerabilities.