CVE-2022-31535
📋 TL;DR
This vulnerability allows attackers to read arbitrary files on the server by exploiting path traversal in the Fishtank repository's Flask application. It affects any system running the vulnerable Fishtank code through 2015-06-24. Attackers can access sensitive files like configuration files, passwords, or source code.
💻 Affected Systems
- freefood89/Fishtank repository
📦 What is this software?
Fishtank by Fishtank Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like SSH keys, database credentials, or configuration files leading to lateral movement and data exfiltration.
Likely Case
Information disclosure of sensitive files, potentially exposing credentials, configuration data, or application source code.
If Mitigated
Limited impact with proper file system permissions and network segmentation, though sensitive files could still be exposed.
🎯 Exploit Status
Path traversal vulnerabilities are well-understood and easily exploitable. The GitHub security advisory includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://github.com/github/securitylab/issues/669
Restart Required: No
Instructions:
1. Remove or replace the vulnerable Fishtank application
2. If maintaining the code, implement proper input validation and use Flask's send_file with safe path handling
3. Consider using Flask's built-in security features or a maintained alternative
🔧 Temporary Workarounds
Input Validation Middleware
allAdd middleware to validate and sanitize file paths before they reach send_file
# Python Flask middleware example
from flask import request, abort
import os
@app.before_request
def validate_paths():
if 'file' in request.args:
requested_path = request.args.get('file')
# Normalize and check for path traversal
normalized = os.path.normpath(requested_path)
if normalized.startswith('..') or normalized.startswith('/'):
abort(403)
Web Application Firewall Rules
allConfigure WAF to block path traversal patterns
# Example mod_security rule
SecRule ARGS "@contains ../" "id:1001,phase:2,deny,msg:'Path Traversal Attempt'"
🧯 If You Can't Patch
- Isolate the vulnerable application in a restricted network segment with no access to sensitive files
- Implement strict file system permissions to limit what files the application user can read
🔍 How to Verify
Check if Vulnerable:
Check if your application uses the freefood89/Fishtank repository code dated 2015-06-24 or earlier, and if it uses Flask's send_file with user-controlled input without proper path validation.Check Version:
# Check Git commit date
git log --oneline -1
# Or check repository metadataVerify Fix Applied:
Test that path traversal attempts (e.g., requests with '../../etc/passwd') return 403/404 errors instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' patterns
- Unusual file access patterns from web application user
- 403/404 errors for path traversal attempts if mitigated
Network Indicators:
- HTTP requests with encoded path traversal sequences (%2e%2e%2f)
- Unusual file download patterns from web endpoints
SIEM Query:
source="web_logs" AND (url="*../*" OR url="*..%2f*" OR url="*%2e%2e%2f*")