Miggo Logo
Miggo Vulnerability Database
CVE-2013-2217

CVE-2013-2217:
Improper Link Resolution Before File Access in Suds

6.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2013-2217
GHSA ID
GHSA-vpqp-hx68-p2wx
EPSS Score
0.35934%
CWE
CWE-59
Published
5/14/2022
Updated
10/28/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
sudspip<= 0.41.0.0
suds-py3pip>= 0, < 1.4.4.11.4.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from FileCache initialization in cache.py using tempfile.gettempdir() + '/suds' when no location is specified. This creates a predictable path in world-writable /tmp, allowing symlink attacks. The init method's logic for setting self.location (lines 140-142 in original code) directly implements this vulnerable pattern. Runtime detection would show this constructor being called when processing SOAP requests, making it the primary indicator.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****.py in Su*s *.*, w**n t*mp*ir is s*t to Non*, *llows lo**l us*rs to r**ir**t SO*P qu*ri*s *n* possi*ly **v* ot**r unsp**i*i** imp**t vi* * symlink *tt**k on * ***** *il* wit* * pr**i*t**l* n*m* in /tmp/su*s/.

Reasoning

T** vuln*r**ility st*ms *rom *il****** initi*liz*tion in *****.py usin* t*mp*il*.**tt*mp*ir() + '/su*s' w**n no lo**tion is sp**i*i**. T*is *r**t*s * pr**i*t**l* p*t* in worl*-writ**l* /tmp, *llowin* symlink *tt**ks. T** __init__ m*t*o*'s lo*i* *or s