CVE-2022-45968
📋 TL;DR
CVE-2022-45968 allows authenticated users with file upload permission to upload arbitrary files to any folder in Alist v3.4.0, including password-protected directories. This affects all deployments running the vulnerable version where user accounts have upload privileges. The vulnerability bypasses intended access controls and folder restrictions.
💻 Affected Systems
- Alist
📦 What is this software?
Alist by Alistgo
⚠️ Risk & Real-World Impact
Worst Case
An attacker could upload malicious files (webshells, malware) to protected directories, potentially gaining remote code execution, data exfiltration, or complete system compromise.
Likely Case
Unauthorized file upload leading to data integrity issues, storage abuse, or serving malicious content from the application.
If Mitigated
With proper network segmentation and file validation, impact limited to unauthorized file storage without execution capabilities.
🎯 Exploit Status
Exploitation requires authenticated user with upload permission. The vulnerability is simple to exploit via standard HTTP file upload requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.5.0 and later
Vendor Advisory: https://github.com/alist-org/alist/issues/2444
Restart Required: Yes
Instructions:
1. Backup your Alist configuration and data. 2. Stop the Alist service. 3. Update to v3.5.0 or later using your deployment method (Docker, binary, source). 4. Restart the Alist service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable file upload permissions
allTemporarily remove file upload permissions from all user accounts until patching can be completed.
Edit Alist configuration to remove upload permissions from user roles
Implement WAF rules
allAdd web application firewall rules to block suspicious file upload patterns.
WAF specific - configure rules to inspect file upload requests and block unauthorized folder access
🧯 If You Can't Patch
- Implement strict file type validation and scanning for all uploaded files
- Isolate Alist instance in a restricted network segment with no internet access
🔍 How to Verify
Check if Vulnerable:
Check if running Alist v3.4.0. Attempt to upload a file to a password-protected folder using a user account with only upload permissions.Check Version:
Check Alist web interface dashboard or run: ./alist version (if using binary)Verify Fix Applied:
After updating to v3.5.0+, verify that users with only upload permissions cannot upload files to password-protected folders.📡 Detection & Monitoring
Log Indicators:
- File upload requests to protected folders from users with only upload permissions
- Successful uploads to directories with access control failures
Network Indicators:
- HTTP POST requests to upload endpoints with folder paths that should be restricted
- Unusual file types being uploaded to protected directories
SIEM Query:
source="alist.log" AND (event="file_upload" AND folder="protected_*" AND user_permissions="upload_only")