CVE-2022-1554: Path Traversal in scout-browser
6.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.67934%
CWE
Published
5/4/2022
Updated
2/1/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
scout-browser | pip | < 4.52 | 4.52 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the remote_static endpoint handling file requests. Prior to the patch, it directly used request.args.get('file') as input for send_file without proper path validation or authentication checks. The GitHub advisory explicitly mentions the send_file call as the root cause, and the patch adds session-based authorization checks and path validation. The CWE-22/36 mapping confirms this is a path traversal vulnerability enabled by improper input sanitization in file handling functions.