GHSA-9w9f-6mg8-jp7w · 深刻度: medium · エコシステム: go — Missing Role Based Access Control for the REST handlers in bleve/http package
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (bleve/http) handlers for exposing the access to the indexes. For instance, the CreateIndexHandler (`http/index_create.go`) and DeleteIndexHandler (`http/index_delete.go`) enable an attacker to create a bleve index (directory structure) anywhere where the user running the server has the write permissions and to delete recursively any directory owned by the same user account. Users who have used the bleve/http package for exposing access to bleve index without the explicit handling for the Role Based Access Controls(RBAC) of the index assets would be impacted by this issue. Version 2.5.0 relocated the `http/` dir used _only_ by bleve-explorer to `blevesearch/bleve-explorer`, thereby addressing the issue. However, the http package is purely intended to be used for demonstration purposes. Bleve was never designed handle the RBACs, nor it was ever advertised to be used in that way. The collaborators of this project have decided to stay away from adding any authentication or authorization to bleve project at the moment. The bleve/http package is mainly for demonstration purposes and it lacks exhaustive validation of the user inputs as well as any authentication and authorization measures. It is recommended to not use bleve/http in production use cases.
総合評価: CVE-2022-31022 は低リスク(33.7/100)。CVSS 深刻度は中。悪用される可能性が高い(EPSS 0.33%、25 パーセンタイル) 推奨対応: 悪用情報と EPSS の推移を監視し、必要に応じて優先度を見直してください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.12% | 0.33% | +0.21% |
| 2 | 2026-06-13 | 0.18% | 0.12% | -0.06% |
| 3 | 2026-04-30 | — | 0.18% | — |
EPSS の全履歴 (全 10 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 6.2 | 3.1 | MEDIUM |
|
2.5 | 3.6 | [email protected] |
| 5.5 | 3.1 | MEDIUM |
|
1.8 | 3.6 | [email protected] |
| 2.1 | 2.0 | LOW |
|
3.9 | 2.9 | [email protected] |
GHSA-9w9f-6mg8-jp7w · 深刻度: medium · エコシステム: go — Missing Role Based Access Control for the REST handlers in bleve/http package
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2022-31022 unimportant priority: Debian including 1 source packages (golang-github-blevesearch-bleve), 1 status rows across 1 suites (bullseye): open 1. | https://security-tracker.debian.org/tracker/CVE-2022-31022 |
ubuntu
|
medium | CVE-2022-31022 medium priority: Ubuntu including 1 source packages (golang-github-blevesearch-bleve), 14 status rows across 14 suites (bionic, focal, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 9, needs-triage 4, ignored 1. | https://ubuntu.com/security/CVE-2022-31022 |
| URL | タグ |
|---|---|
| https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff | Patch Third Party Advisory |
| https://github.com/blevesearch/bleve/commit/af9e3111dadfedf9d30f0448506b4a57fecc8550 | Patch Third Party Advisory |
| https://github.com/blevesearch/bleve/security/advisories/GHSA-9w9f-6mg8-jp7w | Third Party Advisory |