CVE-2022-31523
📋 TL;DR
This vulnerability allows attackers to read arbitrary files on the server through absolute path traversal in the PaddlePaddle/Anakin repository. It affects users running Anakin versions through 0.1.1 with the vulnerable Flask send_file implementation. Attackers can access sensitive system files by manipulating file paths.
💻 Affected Systems
- PaddlePaddle/Anakin
📦 What is this software?
Anakin by Paddlepaddle
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like /etc/passwd, SSH keys, or configuration files containing credentials, potentially leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive application files, configuration data, or system files that could enable further attacks or data theft.
If Mitigated
Limited impact with proper file system permissions and network segmentation, but still potential for information disclosure.
🎯 Exploit Status
Simple HTTP requests with path traversal sequences can exploit this vulnerability. Public GitHub issue demonstrates the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 0.1.1
Vendor Advisory: https://github.com/github/securitylab/issues/669#issuecomment-1117265726
Restart Required: Yes
Instructions:
1. Update to the latest version of Anakin repository. 2. Replace vulnerable Flask send_file usage with secure implementation. 3. Restart the application service.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject path traversal sequences before processing file requests.
# Add input validation in Flask route handlers
# Example: if '..' in file_path: return 'Invalid request'
Web Application Firewall Rules
allConfigure WAF to block requests containing path traversal patterns like '../', '..\', or absolute paths.
# WAF rule example: deny requests with '..' in URL parameters
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure of vulnerable endpoints
- Deploy file system monitoring to detect unauthorized file access attempts
🔍 How to Verify
Check if Vulnerable:
Check if running Anakin version 0.1.1 or earlier and inspect Flask route handlers for unsafe send_file usage with user-controlled input.Check Version:
Check package version or repository commit history for Anakin installationVerify Fix Applied:
Test that path traversal attempts (e.g., requests with '../../etc/passwd') return error responses instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '..', '../', or absolute file paths in URL parameters
- Unusual file access patterns from web application logs
Network Indicators:
- HTTP requests with path traversal sequences to vulnerable endpoints
- Abnormal response sizes for file requests
SIEM Query:
web.url:*..* AND (web.status:200 OR web.status:206) AND NOT web.url:*normal-path*