CVE-2022-31519 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2022-31519?

CVE-2022-31519 has a CVSS score of 9.3 (CRITICAL). This vulnerability allows attackers to perform absolute path traversal attacks in the Lukasavicus/WindMill repository up to version 1.0. By exploiting unsafe usage of Flask's send_file function, attackers can read arbitrary files from the server filesystem. Anyone running WindMill versions through 1.0 is affected.

📋 TL;DR

This vulnerability allows attackers to perform absolute path traversal attacks in the Lukasavicus/WindMill repository up to version 1.0. By exploiting unsafe usage of Flask's send_file function, attackers can read arbitrary files from the server filesystem. Anyone running WindMill versions through 1.0 is affected.

💻 Affected Systems

Products:

Lukasavicus/WindMill

Versions: through 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using the vulnerable Flask send_file implementation.

📦 What is this software?

Windmill by Windmill Project

View all CVEs affecting Windmill →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive files like SSH keys, configuration files, or database credentials, potentially leading to full system takeover.

🟠

Likely Case

Unauthorized access to sensitive server files containing configuration data, credentials, or user information.

🟢

If Mitigated

Limited impact with proper file permissions and network segmentation preventing access to critical system files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Path traversal vulnerabilities are commonly exploited and require minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.0

Vendor Advisory: https://github.com/github/securitylab/issues/669

Restart Required: Yes

Instructions:

1. Update to the latest version of WindMill repository. 2. Restart the WindMill service. 3. Verify the fix by testing path traversal attempts.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation to reject any file paths containing directory traversal sequences.

File Access Restriction

all

Configure the application to run with minimal file system permissions and restrict access to sensitive directories.

🧯 If You Can't Patch

Implement a web application firewall (WAF) with path traversal protection rules.
Isolate the vulnerable system in a segmented network with strict outbound controls.

🔍 How to Verify

Check if Vulnerable:

Test if the application allows accessing files outside the intended directory using path traversal sequences like '../../etc/passwd'.

Check Version:

Check the WindMill version in the application configuration or package manager.

Verify Fix Applied:

Attempt the same path traversal tests after patching to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns, multiple failed attempts to access system files, requests containing '../' sequences

Network Indicators:

HTTP requests with path traversal sequences in URL parameters

SIEM Query:

source="web_server" AND (url="*../*" OR url="*..\\*" OR url="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2022-31519

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-22

Published: July 11, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/github/securitylab/issues/669#issuecomment-1117265726 Exploit,Issue Tracking,Third Party Advisory
https://github.com/github/securitylab/issues/669#issuecomment-1117265726 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31519, you might also want to check these: