CVE-2022-31511
📋 TL;DR
This vulnerability allows attackers to read arbitrary files on the server by exploiting an unsafe implementation of Flask's send_file function. It affects any system running the AFDudley/equanimity repository from GitHub with versions through April 23, 2014. Attackers can access sensitive files outside the intended directory structure.
💻 Affected Systems
- AFDudley/equanimity repository
📦 What is this software?
Equanimity by Equanimity Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive configuration files, credentials, or private keys leading to further attacks.
Likely Case
Exfiltration of sensitive data including configuration files, source code, or user data stored on the server.
If Mitigated
Limited impact with proper file permissions and web server configurations restricting access to sensitive directories.
🎯 Exploit Status
Path traversal attacks are well-understood and easy to automate. The vulnerability is in a public GitHub repository with known exploitation patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://github.com/github/securitylab/issues/669
Restart Required: No
Instructions:
1. Remove or replace the vulnerable equanimity repository code. 2. Implement proper input validation and path sanitization. 3. Use Flask's send_file with safe path handling or implement custom secure file serving.
🔧 Temporary Workarounds
Implement Input Validation
allAdd validation to ensure file paths are within allowed directories before passing to send_file.
# Python code to validate paths
import os
from flask import abort
def safe_path(user_input):
base_dir = '/allowed/path'
requested_path = os.path.join(base_dir, user_input)
if not requested_path.startswith(base_dir):
abort(403)
return requested_path
Web Server Restrictions
allConfigure web server to restrict access to sensitive directories.
# Nginx configuration
location ~ /\. {
deny all;
}
# Apache configuration
<Directory "/var/www/sensitive">
Require all denied
</Directory>
🧯 If You Can't Patch
- Isolate the vulnerable application in a container or VM with minimal file access permissions.
- Implement network segmentation and WAF rules to block path traversal patterns in requests.
🔍 How to Verify
Check if Vulnerable:
Review Flask application code for unsanitized user input passed to send_file() function. Check if the application uses the AFDudley/equanimity repository code.Check Version:
# Check if equanimity repository is present
grep -r "equanimity" /path/to/application/ || find /path/to/application -name "*.py" -exec grep -l "AFDudley" {} \;Verify Fix Applied:
Test with path traversal payloads (e.g., '../../etc/passwd') and verify the application rejects them or returns appropriate error messages.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' patterns
- 403/404 errors for sensitive file paths
- Unusual file access patterns in application logs
Network Indicators:
- HTTP requests with encoded path traversal sequences (%2e%2e%2f)
- Multiple failed attempts to access sensitive file paths
SIEM Query:
source="web_logs" AND (uri="*..%2f*" OR uri="*../*") AND response="200"