CVE-2022-31521
📋 TL;DR
This vulnerability allows attackers to read arbitrary files on the server through absolute path traversal in the mosaic repository's Flask application. It affects any system running mosaic version 1.0.0 or earlier that exposes the vulnerable endpoint. The issue stems from unsafe use of Flask's send_file function without proper path validation.
💻 Affected Systems
- mosaic
📦 What is this software?
Mosaic by Mosaic Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like /etc/passwd, SSH keys, configuration files, or database credentials, potentially leading to full system takeover.
Likely Case
Unauthorized access to sensitive server files containing credentials, configuration data, or user information, enabling further attacks or data theft.
If Mitigated
Limited impact with proper file permissions, web server sandboxing, and network segmentation preventing access to critical system files.
🎯 Exploit Status
The vulnerability is simple to exploit with basic HTTP requests. Public GitHub issues demonstrate the attack vector, making exploitation trivial for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/github/securitylab/issues/669
Restart Required: Yes
Instructions:
1. Check if you're running mosaic version 1.0.0 or earlier. 2. Remove or disable the mosaic application immediately. 3. Monitor the repository for security updates. 4. Consider using alternative software as this appears to be an abandoned project.
🔧 Temporary Workarounds
Implement Input Validation
allAdd server-side validation to reject absolute paths and path traversal sequences in file requests
# Add path validation in Flask route handlers
# Example: if '..' in filename or filename.startswith('/'): return 'Invalid request'
Web Server Restrictions
linuxConfigure web server (nginx/apache) to block requests with path traversal patterns
# nginx example in location block:
# if ($request_uri ~* "\.\.") { return 403; }
🧯 If You Can't Patch
- Isolate the mosaic application in a container or VM with minimal file access
- Implement strict network access controls to limit who can reach the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Test if the application responds to requests with absolute paths like /../../etc/passwd or similar traversal patternsCheck Version:
Check package.json or application metadata for mosaic version, or examine git repository tagsVerify Fix Applied:
Attempt the same path traversal attacks and verify they are blocked or return error responses📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '..' sequences
- Requests for unusual file paths like /etc/*
- 403/404 errors for path traversal attempts
Network Indicators:
- HTTP traffic patterns showing repeated failed file access attempts
- Unusual file read patterns from web application
SIEM Query:
web_access_logs WHERE url CONTAINS '..' OR url CONTAINS '/etc/' OR url CONTAINS absolute path patterns