CVE-2022-31559
📋 TL;DR
This vulnerability allows attackers to perform absolute path traversal attacks in the tsileo/flask-yeoman repository, enabling unauthorized file access. It affects users who deployed this Flask-based project template between its creation and September 13, 2013. The vulnerability stems from unsafe use of Flask's send_file function without proper path validation.
💻 Affected Systems
- tsileo/flask-yeoman
📦 What is this software?
Flask Yeoman by Flask Yeoman Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through arbitrary file read, potentially exposing sensitive configuration files, credentials, or enabling remote code execution.
Likely Case
Unauthorized access to sensitive files on the server, including configuration files, source code, or user data.
If Mitigated
Limited impact with proper file system permissions and network segmentation in place.
🎯 Exploit Status
Path traversal vulnerabilities are well-understood and easily exploitable. The GitHub security advisory includes technical details that could be used to create exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://github.com/github/securitylab/issues/669
Restart Required: No
Instructions:
1. Replace the vulnerable repository code with a secure alternative
2. Review and update any file serving logic in your application
3. Implement proper input validation for file paths
🔧 Temporary Workarounds
Implement Path Validation
allAdd server-side validation to ensure file paths are within allowed directories
# In Flask application code:
# Replace send_file(path) with:
# safe_path = os.path.normpath(os.path.join(base_dir, requested_path))
# if not safe_path.startswith(base_dir):
# abort(403)
# send_file(safe_path)
Web Application Firewall Rules
allConfigure WAF to block path traversal patterns
# Example mod_security rule:
# SecRule REQUEST_URI "@contains ../" "id:1001,phase:1,deny,msg:'Path Traversal Attempt'"
# Example nginx rule:
# location ~ \.\./ {
# deny all;
# }
🧯 If You Can't Patch
- Isolate the vulnerable application in a restricted network segment with minimal file system access
- Implement strict file system permissions to limit what files the application can access
🔍 How to Verify
Check if Vulnerable:
Review your Flask application code for use of send_file() without proper path validation. Check if you're using code from the tsileo/flask-yeoman repository.Check Version:
Check your project's git history or dependencies for references to tsileo/flask-yeomanVerify Fix Applied:
Test file access attempts with path traversal payloads (e.g., ../../../etc/passwd) and verify they are blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing ../ sequences
- Failed file access attempts outside expected directories
- Unusual file access patterns
Network Indicators:
- HTTP requests with encoded path traversal sequences (%2e%2e%2f)
- Multiple failed file access attempts
SIEM Query:
source="web_logs" AND (uri="*../*" OR uri="*..%2f*" OR uri="*%2e%2e%2f*")