CVE-2022-31517
📋 TL;DR
This vulnerability allows attackers to read arbitrary files on the server through absolute path traversal in the HolgerGraef/MSM repository. It affects any system running this software with the vulnerable Flask send_file implementation. Attackers can access sensitive files like configuration files, passwords, or system files.
💻 Affected Systems
- HolgerGraef/MSM repository
📦 What is this software?
Mercury Sample Manager by Mercury Sample Manager Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like SSH keys, database credentials, or configuration files leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive application files, configuration data, and potentially user data stored on the server filesystem.
If Mitigated
Limited to reading files within the application's directory if proper file access controls and input validation are implemented.
🎯 Exploit Status
The vulnerability is simple to exploit by manipulating file paths in requests to the Flask application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2021-04-20 with proper path validation
Vendor Advisory: https://github.com/github/securitylab/issues/669
Restart Required: Yes
Instructions:
1. Update to a version after 2021-04-20 with proper path validation. 2. Replace unsafe Flask send_file usage with secure alternatives. 3. Restart the application service.
🔧 Temporary Workarounds
Implement Input Validation
allAdd server-side validation to reject absolute paths and path traversal sequences
# Python code to validate file paths
import os
from flask import abort
def validate_path(user_input):
# Normalize and check for absolute paths
normalized = os.path.normpath(user_input)
if os.path.isabs(normalized):
abort(400, 'Absolute paths not allowed')
# Check for path traversal
if '..' in normalized or normalized.startswith('/'):
abort(400, 'Path traversal detected')
return normalized
Web Application Firewall Rules
allConfigure WAF to block requests containing path traversal patterns
# Example WAF rule to block path traversal
# Block requests containing:
# ../
# ..\
# absolute paths starting with /
# encoded variations of the above
🧯 If You Can't Patch
- Implement strict file access controls and run the application with minimal privileges
- Deploy network segmentation to isolate the vulnerable system from sensitive resources
🔍 How to Verify
Check if Vulnerable:
Test if the application allows accessing files using absolute paths (e.g., /etc/passwd) or path traversal sequences (../../etc/passwd) through file download endpoints.Check Version:
Check the repository commit date or version information in the application codeVerify Fix Applied:
Attempt to access sensitive files using absolute paths and path traversal sequences - all attempts should be blocked or return error responses.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing absolute paths (/etc/, /root/, C:\\)
- Requests with multiple ../ sequences
- Failed file access attempts to sensitive paths
- Unusual file access patterns from single IPs
Network Indicators:
- HTTP requests with path traversal payloads in URL parameters
- Multiple failed file access attempts
- Requests for known sensitive files
SIEM Query:
source="web_logs" AND (url="*../*" OR url="*/etc/*" OR url="*/root/*" OR url="*C:\\*" OR url="*/windows/*")