CVE-2022-31527
📋 TL;DR
This vulnerability allows attackers to perform absolute path traversal attacks in the Wildog/flask-file-server repository, enabling unauthorized file access. It affects users who deployed this Flask-based file server software before February 2020. The vulnerability stems from unsafe use of Flask's send_file function without proper path validation.
💻 Affected Systems
- Wildog/flask-file-server
📦 What is this software?
Flask File Server by Flask File Server Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file read, potentially leading to sensitive data exposure, credential theft, or further privilege escalation.
Likely Case
Unauthorized access to sensitive files on the server, including configuration files, credentials, and application data.
If Mitigated
Limited impact with proper file system permissions and network segmentation restricting access to sensitive directories.
🎯 Exploit Status
Path traversal vulnerabilities are well-understood and easily exploitable with minimal technical knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://github.com/github/securitylab/issues/669#issuecomment-1117265726
Restart Required: Yes
Instructions:
1. Remove the vulnerable flask-file-server implementation. 2. Replace with a secure file server solution. 3. Restart the application/service.
🔧 Temporary Workarounds
Implement Path Sanitization
allAdd input validation to sanitize file paths before passing to send_file function
# Add path validation in Flask route handler
import os
from werkzeug.utils import secure_filename
# Before send_file:
safe_path = os.path.normpath(os.path.join(base_dir, secure_filename(requested_path)))
Restrict File Access Directory
allConfigure the application to only serve files from a specific, restricted directory
# Set explicit base directory
BASE_DIR = '/var/www/files'
# Validate requested path is within BASE_DIR
requested_path = os.path.normpath(os.path.join(BASE_DIR, filename))
if not requested_path.startswith(BASE_DIR):
abort(403)
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the vulnerable service
- Deploy a web application firewall (WAF) with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check if your application uses the Wildog/flask-file-server repository and if the code contains unsafe send_file usage without path validation.Check Version:
Check repository commit history or deployment date to confirm if using pre-2020-02-20 version.Verify Fix Applied:
Test path traversal attempts (e.g., '../../etc/passwd') and verify they are blocked with 403/404 responses.📡 Detection & Monitoring
Log Indicators:
- Multiple 403/404 responses for path traversal patterns
- Unusual file access patterns outside expected directories
- Requests containing '../' sequences
Network Indicators:
- HTTP requests with path traversal sequences in URLs
- Unusual file extensions or paths in web requests
SIEM Query:
source="web_logs" AND (url="*../*" OR url="*..\\*" OR url="*%2e%2e%2f*") AND response_code=200