CVE-2022-31555
📋 TL;DR
This vulnerability allows attackers to read arbitrary files on the server through absolute path traversal in the romain20100/nursequest repository. It affects any system running this GitHub repository's code through February 22, 2018. The vulnerability exists because the Flask send_file function is used without proper path validation.
💻 Affected Systems
- romain20100/nursequest GitHub repository
📦 What is this software?
Nurse Quest by Nurse Quest Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like /etc/passwd, SSH keys, configuration files, or database credentials, potentially leading to full system takeover.
Likely Case
Unauthorized access to sensitive server files containing credentials, configuration data, or user information.
If Mitigated
Limited impact with proper file permissions and network segmentation preventing access to critical system files.
🎯 Exploit Status
Path traversal vulnerabilities are well-understood and easily exploitable with simple HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: N/A
Restart Required: No
Instructions:
1. Remove or replace the vulnerable repository code. 2. Implement proper path validation in Flask send_file calls. 3. Consider using a maintained alternative if available.
🔧 Temporary Workarounds
Implement Path Validation
allAdd proper path validation before using Flask's send_file function to prevent directory traversal.
# Python code to validate paths
import os
from flask import send_file
def safe_send_file(path):
# Normalize and validate path
normalized = os.path.normpath(path)
if not normalized.startswith('/safe/directory/'):
return 'Invalid path', 400
return send_file(normalized)
Web Application Firewall Rules
allConfigure WAF to block requests containing path traversal patterns.
# Example mod_security rule
SecRule REQUEST_URI "@contains ../" "id:1001,phase:1,deny,status:403,msg:'Path Traversal Attempt'"
🧯 If You Can't Patch
- Network segmentation to isolate vulnerable systems from sensitive data
- Implement strict file permissions to limit accessible files
🔍 How to Verify
Check if Vulnerable:
Test if the application allows accessing files outside intended directories by attempting path traversal (e.g., /../../etc/passwd).Check Version:
Check repository commit history or deployment date to confirm if code predates 2018-02-22.Verify Fix Applied:
Verify that path traversal attempts return error responses and cannot access files outside allowed directories.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' patterns
- Access to unexpected file paths
- 403/400 errors from path validation
Network Indicators:
- HTTP requests with encoded path traversal sequences (%2e%2e%2f)
- Unusual file access patterns
SIEM Query:
source="web_logs" AND (uri="*../*" OR uri="*..\\*" OR uri="*%2e%2e%2f*")