CVE-2022-31551
📋 TL;DR
This vulnerability allows attackers to perform absolute path traversal attacks in the pleomax00/flask-mongo-skel repository, enabling unauthorized file access. It affects users who deployed applications built with this Flask-MongoDB skeleton repository before November 2012. The vulnerability stems from unsafe use of Flask's send_file function without proper path validation.
💻 Affected Systems
- pleomax00/flask-mongo-skel repository
📦 What is this software?
Flask Mongo Skel by Flask Mongo Skel Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file read, potentially leading to sensitive data exposure, credential theft, and lateral movement within the environment.
Likely Case
Unauthorized access to sensitive configuration files, source code, or application data stored on the server filesystem.
If Mitigated
Limited impact with proper file system permissions, but still potential for information disclosure about server configuration.
🎯 Exploit Status
Path traversal vulnerabilities are well-understood and easily exploitable with simple HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://github.com/github/securitylab/issues/669
Restart Required: Yes
Instructions:
1. Replace the vulnerable send_file usage with safe path validation
2. Implement proper input sanitization for file paths
3. Restart the Flask application after changes
🔧 Temporary Workarounds
Implement Path Sanitization
allAdd input validation to sanitize file paths before passing to send_file
# In Flask route handler:
import os
from werkzeug.utils import safe_join
safe_path = safe_join(base_directory, user_input_path)
return send_file(safe_path)
Restrict File Access
linuxImplement file system permissions to limit what files the application can access
# Set appropriate file permissions
chmod 750 /path/to/application/files
chown appuser:appgroup /path/to/application/files
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block path traversal patterns
- Isolate the vulnerable application in a container with minimal file system access
🔍 How to Verify
Check if Vulnerable:
Review Flask application code for send_file usage without proper path validation. Check if application uses the pleomax00/flask-mongo-skel repository.Check Version:
Check repository commit history or application dependencies for flask-mongo-skel usageVerify Fix Applied:
Test with path traversal payloads (e.g., '../../etc/passwd') and verify they are blocked or sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' patterns
- Unusual file access patterns in application logs
- Failed file access attempts outside expected directories
Network Indicators:
- HTTP requests with encoded path traversal sequences (%2e%2e%2f)
- Multiple failed file access attempts from single IP
SIEM Query:
source="web_logs" AND (uri="*../*" OR uri="*..%2f*" OR uri="*%2e%2e%2f*")