CVE-2023-25307 – CVE-2023-25307 is a directory traversal vulnera... (How to Fix)

Q: How do I fix CVE-2023-25307?

1. Update mrpack-install to v0.16.3 or later using your package manager. 2. Verify the update was successful by checking the version. 3. No restart required as this is a command-line tool.

Q: What is the severity of CVE-2023-25307?

CVE-2023-25307 has a CVSS score of 7.8 (HIGH). CVE-2023-25307 is a directory traversal vulnerability in nothub mrpack-install versions up to v0.16.2 that allows attackers to write files outside the intended extraction directory. This affects users who process untrusted mrpack files with vulnerable versions of the tool. The vulnerability could lead to arbitrary file overwrite or remote code execution.

📋 TL;DR

CVE-2023-25307 is a directory traversal vulnerability in nothub mrpack-install versions up to v0.16.2 that allows attackers to write files outside the intended extraction directory. This affects users who process untrusted mrpack files with vulnerable versions of the tool. The vulnerability could lead to arbitrary file overwrite or remote code execution.

💻 Affected Systems

Products:

nothub mrpack-install

Versions: <= v0.16.2

Operating Systems: All platforms where mrpack-install runs

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default configuration when processing mrpack files with path traversal sequences.

📦 What is this software?

Mrpack Install by Mrpack Install Project

View all CVEs affecting Mrpack Install →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if attacker-controlled files are processed with elevated privileges.

🟠

Likely Case

Arbitrary file overwrite in the context of the user running mrpack-install, potentially leading to data corruption or privilege escalation.

🟢

If Mitigated

Limited to file writes within user's permissions if proper sandboxing or least privilege principles are followed.

🌐 Internet-Facing: MEDIUM - Requires processing attacker-supplied mrpack files, which typically happens in controlled environments rather than directly internet-exposed services.

🏢 Internal Only: MEDIUM - Internal users processing untrusted mrpack files could be exploited, but requires user interaction or automated processing of malicious files.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the victim to process a malicious mrpack file. Public proof-of-concept exists in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.16.3 and later

Vendor Advisory: https://github.com/nothub/mrpack-install/security/advisories/GHSA-r887-gfxh-m9rr

Restart Required: No

Instructions:

1. Update mrpack-install to v0.16.3 or later using your package manager. 2. Verify the update was successful by checking the version. 3. No restart required as this is a command-line tool.

🔧 Temporary Workarounds

Validate mrpack files before processing

all

Only process mrpack files from trusted sources and validate file paths before extraction.

Run with restricted permissions

all

Execute mrpack-install with minimal privileges and in a sandboxed environment.

🧯 If You Can't Patch

Discontinue use of mrpack-install for processing untrusted files
Implement strict input validation and path sanitization in wrapper scripts

🔍 How to Verify

Check if Vulnerable:

Check mrpack-install version: if version <= 0.16.2, system is vulnerable.

Check Version:

mrpack-install --version

Verify Fix Applied:

Verify mrpack-install version is >= 0.16.3 and test with known safe mrpack files.

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations outside expected directories
Processing of mrpack files with suspicious path patterns

Network Indicators:

Downloads of mrpack files from untrusted sources

SIEM Query:

Process execution where command contains 'mrpack-install' AND version <= 0.16.2

📊 Metadata

CVE ID: CVE-2023-25307

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: June 26, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/nothub/mrpack-install/security/advisories/GHSA-r887-gfxh-m9rr Vendor Advisory
https://quiltmc.org/en/blog/2023-02-04-five-installer-vulnerabilities/ Exploit
https://github.com/nothub/mrpack-install/security/advisories/GHSA-r887-gfxh-m9rr Vendor Advisory
https://quiltmc.org/en/blog/2023-02-04-five-installer-vulnerabilities/ Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25307, you might also want to check these: