CVE-2022-45866 is a directory traversal vulnerability identified in qpress, a compression utility used notably in Percona XtraBackup and potentially other products. The vulnerability exists in versions of qpress prior to 20220819 and before version 11.3. The issue arises because qpress improperly handles file paths within .qp archive files, allowing an attacker to include '../' sequences that traverse directories outside the intended extraction path. This can lead to files being written to arbitrary locations on the filesystem during decompression. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), indicating that the software fails to properly sanitize or validate file paths. The CVSS v3.1 base score is 5.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), limited confidentiality impact (C:L), and no impact on integrity or availability (I:N/A:N). There are no known exploits in the wild, and no official patches or vendor advisories are linked in the provided data. The vulnerability allows an unauthenticated attacker to craft a malicious .qp archive that, when decompressed by a vulnerable qpress version, can write files outside the intended directory, potentially overwriting critical files or planting malicious payloads. This could be leveraged for local privilege escalation or persistence if the decompression is performed by a privileged process or service. However, the impact is limited to confidentiality as no direct integrity or availability impacts are indicated by the CVSS vector. The vulnerability requires that the victim decompress a malicious archive, which may be delivered via network or other means depending on the deployment context of qpress or Percona XtraBackup. Since no user interaction is required, automated processes decompressing untrusted archives are at risk. The lack of a vendor project or product name beyond qpress and Percona XtraBackup suggests the vulnerability may affect multiple products embedding qpress for compression tasks.

For European organizations, the primary impact of CVE-2022-45866 lies in the potential unauthorized disclosure of sensitive data or exposure of system files due to directory traversal during decompression. Organizations using Percona XtraBackup or other products embedding vulnerable qpress versions may face risks of attackers placing malicious files in arbitrary locations, which could facilitate further attacks such as privilege escalation or persistence. While the vulnerability does not directly compromise integrity or availability, the ability to write files outside intended directories can undermine system security and trustworthiness. This is particularly critical for organizations handling sensitive or regulated data, such as financial institutions, healthcare providers, and critical infrastructure operators, where backup integrity and confidentiality are paramount. Additionally, automated backup or restoration processes that decompress untrusted archives without validation are at risk. The medium severity score reflects a moderate risk; however, the actual impact depends on the deployment context, privilege level of the decompression process, and exposure to untrusted archive files. Since no known exploits are reported, the immediate threat may be low, but the vulnerability should be addressed promptly to prevent potential exploitation. European organizations relying on Percona XtraBackup for MySQL or MariaDB backups, or other software incorporating vulnerable qpress versions, should assess their exposure and remediate accordingly.

1. Upgrade qpress to version 20220819 or later, or version 11.3 or later, where the directory traversal vulnerability is fixed. 2. For Percona XtraBackup users, update to the latest version that includes the patched qpress component. 3. Implement strict validation and sanitization of archive files before decompression, especially if archives originate from untrusted or external sources. 4. Restrict decompression operations to run with the least privileges necessary to minimize potential impact of arbitrary file writes. 5. Employ sandboxing or containerization for decompression processes to contain any malicious file writes within isolated environments. 6. Monitor file system changes in directories used for decompression to detect unexpected file creations or modifications. 7. Review backup and restore workflows to ensure that only trusted archives are processed and that integrity checks (e.g., cryptographic signatures) are in place. 8. If immediate patching is not feasible, consider disabling automatic decompression of .qp files or restricting access to decompression utilities. 9. Maintain up-to-date asset inventories to identify all systems using vulnerable qpress versions for targeted remediation. 10. Educate system administrators and security teams about this vulnerability and the importance of verifying archive sources.