CVE-2022-35410
📋 TL;DR
CVE-2022-35410 is a path traversal vulnerability in mat2 (metadata anonymization toolkit) that allows attackers to access sensitive files outside the intended directory when processing ZIP archives. This primarily affects mat2 web instances where users can upload archives for cleaning. Attackers could potentially read arbitrary files on the server.
💻 Affected Systems
- mat2 (metadata anonymization toolkit)
📦 What is this software?
Mat2 by 0xacab
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive configuration files, credentials, or other critical data, potentially leading to further attacks.
Likely Case
Unauthorized access to sensitive files on the server hosting mat2 web instances, potentially exposing configuration data or other files accessible to the web server user.
If Mitigated
Limited impact if proper file permissions and sandboxing are in place, restricting what files the web server user can access.
🎯 Exploit Status
Exploitation requires uploading a specially crafted ZIP archive containing directory traversal sequences (../). The vulnerability is well-documented with public proof-of-concept examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.13.0 and later
Vendor Advisory: https://dustri.org/b/mat2-0130.html
Restart Required: No
Instructions:
1. Update mat2 to version 0.13.0 or later using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install mat2. 3. For pip installations: pip install --upgrade mat2>=0.13.0. 4. Verify the update with mat2 --version.
🔧 Temporary Workarounds
Disable ZIP archive processing
allTemporarily disable ZIP archive upload/processing in mat2 web instances until patched
Restrict web server permissions
linuxRun mat2 web instance with minimal file system permissions using chroot or containerization
🧯 If You Can't Patch
- Disable mat2 web interface entirely and use only command-line version with trusted users
- Implement strict input validation and sanitization for ZIP archive processing
🔍 How to Verify
Check if Vulnerable:
Check mat2 version with 'mat2 --version' or 'pip show mat2'. If version is below 0.13.0, the system is vulnerable.Check Version:
mat2 --versionVerify Fix Applied:
After updating, verify version is 0.13.0 or higher with 'mat2 --version'. Test with a safe ZIP archive containing traversal sequences to ensure proper sanitization.📡 Detection & Monitoring
Log Indicators:
- Failed attempts to access files outside expected directories
- ZIP processing errors with path traversal sequences
- Unusual file access patterns from mat2 process
Network Indicators:
- Multiple ZIP uploads to mat2 web interface with similar patterns
- Unusual outbound connections after ZIP processing
SIEM Query:
source="mat2" AND ("../" OR "..\\" OR "path traversal")🔗 References
- https://0xacab.org/jvoisin/mat2/-/commit/beebca4bf1cd3b935824c966ce077e7bcf610385
- https://0xacab.org/jvoisin/mat2/-/issues/174
- https://dustri.org/b/mat2-0130.html
- https://www.debian.org/security/2022/dsa-5185
- https://0xacab.org/jvoisin/mat2/-/commit/beebca4bf1cd3b935824c966ce077e7bcf610385
- https://0xacab.org/jvoisin/mat2/-/issues/174
- https://dustri.org/b/mat2-0130.html
- https://www.debian.org/security/2022/dsa-5185
