Miggo Logo
Miggo Vulnerability Database
CVE-2021-46897

CVE-2021-46897: Wagtail CRX CodeRed Extensions vulnerable to Path Traversal

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-46897
GHSA ID
GHSA-h454-rq3m-89rc
EPSS Score
0.34612%
CWE
CWE-22
Published
10/22/2023
Updated
11/9/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
coderedcmspip>= 0, < 0.22.30.22.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the serve_protected_file function in views.py, which handled user-supplied paths without properly resolving and validating absolute paths. The pre-patch code used os.path.join() without checking if the resolved path remained within PROTECTED_MEDIA_ROOT. The fix introduced os.path.abspath() resolution and an explicit startswith() check to ensure subdirectory containment. The GitHub issue #448 and commit diff both explicitly reference this function as the vulnerability location, with the patch adding critical path validation logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

vi*ws.py in W**t*il *RX *o**R** *xt*nsions (*orm*rly *o**R** *MS or *o**r***ms) ***or* *.**.* *llows upw*r* prot**t**/..%**..%** p*t* tr*v*rs*l w**n s*rvin* prot**t** m**i*.

Reasoning

T** vuln*r**ility st*ms *rom t** s*rv*_prot**t**_*il* *un*tion in vi*ws.py, w*i** **n*l** us*r-suppli** p*t*s wit*out prop*rly r*solvin* *n* v*li**tin* **solut* p*t*s. T** pr*-p*t** *o** us** os.p*t*.join() wit*out ****kin* i* t** r*solv** p*t* r*m*i