Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-4mmh-5vw7-rgvj] Proposal for an Update for Confidentiality and Integrity Rating #5204

Open
wants to merge 1 commit into
base: anonymous-nlp-student/advisory-improvement-5204
Choose a base branch
from

Conversation

anonymous-nlp-student
Copy link

Summary

The Confidentiality (C) and Integrity (I) ratings for CVE-2022-36007 / GHSA-4mmh-5vw7-rgvj should be revised as follows:

  • The Confidentiality (C) rating should be High (H) rather than Low (L) because the path traversal could lead to the loss of sensitive information such as passwords and encryption keys if they are stored in /Users/foo/resources.
  • The Integrity (I) rating should be None (N) rather than High (H) because the vulnerability allows unauthorized access to files via the load-file and load-resource functions but does not enable file modification.

GHSA Description

A partial path traversal issue exists within the functions load-file and load-resource. These functions can be limited to load files from a list of load paths.

Assuming Venice has been configured with the load paths: [ "/Users/foo/resources" ]

When passing relative paths to these two vulnerable functions everything is fine:
(load-resource "test.png") => loads the file "/Users/foo/resources/test.png"
(load-resource "../resources-alt/test.png") => rejected, outside the load path

When passing absolute paths to these two vulnerable functions Venice may return files outside the configured load paths:
(load-resource "/Users/foo/resources/test.png") => loads the file "/Users/foo/resources/test.png"
(load-resource "/Users/foo/resources-alt/test.png") => loads the file "/Users/foo/resources-alt/test.png" !!!
The latter call suffers from the Partial Path Traversal vulnerability.

This issue’s scope is limited to absolute paths whose name prefix matches a load path. E.g. for a load-path "/Users/foo/resources", the actor can cause loading a resource also from "/Users/foo/resources-alt", but not from "/Users/foo/images".

Versions of Venice before and including v1.10.16 are affected by this issue.

CVSS 3.x Specifications

Confidentiality

Metric Value Description
High (H) There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.
Low (L) There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component.
None (N) There is no loss of confidentiality within the impacted component.

Integrity

Metric Value Description
High (H) There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.
Low (L) Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component.
None (N) There is no loss of integrity within the impacted component.

Supporting Examples

Similar vulnerabilities involving path traversal have been consistently rated as C:H/I:N in the following CVEs:

  • CVE-2017-16214 / GHSA-74f5-4m28-gq5c (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

    Affected versions of peiserver resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system.

    Example request:

    GET /../../../../../../../../../../etc/passwd HTTP/1.1
    host:foo
    
  • CVE-2021-32769 / GHSA-cjx7-399x-p2rj (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

    With a basic configuration like

    router:
      static-resources:
        assets:
          enabled: true
          mapping: /.assets/public/**
          paths: file:/home/lstrmiska/test/
    

    it is possible to access any file from a filesystem, using "/../../" in URL, as Micronaut does not restrict file access to configured paths.

@github-actions github-actions bot changed the base branch from main to anonymous-nlp-student/advisory-improvement-5204 January 20, 2025 21:44
@JonathanLEvans
Copy link

Hi @anonymous-nlp-student, I agree that Integrity should be None. I do not see how the load functions could be used to impact integrity.

However, without clear evidence that sensitive information is stored in these directories, I am inclined to keep Confidentiality as Low.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants