Description
qpress before PierreLvx/qpress 20220819 and before version 11.3, as used in Percona XtraBackup and other products, allows directory traversal via ../ in a .qp file.
References (8)
Core 8
Core References
Patch, Third Party Advisory
https://github.com/EvgeniyPatlan/qpress/commit/ddb312090ebd5794e81bc6fb1dfb4e79eda48761
Patch, Third Party Advisory
https://github.com/PierreLvx/qpress/compare/20170415...20220819
Exploit, Third Party Advisory
https://github.com/PierreLvx/qpress/pull/6
Exploit, Third Party Advisory
https://github.com/percona/percona-xtrabackup/pull/1366
Product
https://pkgs.org/download/qpress
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQWF7635AJSDKEIGLB73XAH643POGTFY/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4RXO3VYIFRTNIFHWIAZWND6ZXQ5OYOB/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUZ73XT2FXLHC7I4ODLOVB4O4QN7Q7JB/
Scores
CVSS v3
5.3
EPSS
0.0059
EPSS Percentile
69.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (4)
fedoraproject/fedora
35
fedoraproject/fedora
36
fedoraproject/fedora
37
qpress_project/qpress
< 11.3
Published
Nov 23, 2022
Tracked Since
Feb 18, 2026