8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2111

GHSA ID

GHSA-fr2w-mp56-g4xp

EPSS Score

0.63114%

CWE

CWE-434

Published

6/17/2022

Updated

1/27/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2111

CVE-2022-2111: Unrestricted Attachment Upload

Impact

InvenTree allows unrestricted upload of files as attachments to various database fields. Potentially dangerous files (such as HTML files containing malicious javascript) can be uploaded, and (when opened by the user) run the malicious code directly in the users browser.

Note that the upload of malicious files must be performed by an authenticated user account

Solution

The solution for this vulnerability is to ensure that attachment files are downloaded to the local machine before opening, rather than opening the file in the current browser context.

Patches

The issue is addressed in the upcoming 0.8.0 release
This fix will also be back-ported to the 0.7.x branch, applied to the 0.7.2 release

Workarounds

Users can alleviate risk of opening malicious files by right-clicking on the attachment link and selecting "Save link as"

This minimizes risk (e.g. of XSS attacks) by opening the HTML file from the users computer

References

https://huntr.dev/bounties/a0e5c68e-0f75-499b-bd7b-d935fb8c0cd1/

For more information

If you have any questions or comments about this advisory:

Open an issue in github
Email us at security@inventree.org

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2111

GHSA ID

GHSA-fr2w-mp56-g4xp

EPSS Score

0.63114%

CWE

CWE-434

Published

6/17/2022

Updated

1/27/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
inventree	pip	< 0.7.2	0.7.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability combines two aspects: 1) Unrestricted file upload (CWE-434) allowing dangerous types, and 2) Improper handling of downloaded files leading to execution. The commit shows frontend JavaScript changes (sanitizeData) and admin resource modifications, but the critical fix would involve changing how attachments are served. The high-confidence entry reflects frontend link generation without download enforcement, while the medium-confidence entry addresses missing server-side headers. Without exact commit diffs, these are inferred from the described vulnerability pattern and solution strategy.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Inv*nTr** *llows unr*stri*t** uplo** o* *il*s *s *tt***m*nts to v*rious **t***s* *i*l*s. Pot*nti*lly **n**rous *il*s (su** *s *TML *il*s *ont*inin* m*li*ious j*v*s*ript) **n ** uplo****, *n* (w**n op*n** *y t** us*r) run t** m*li*ious *o*

Reasoning

T** vuln*r**ility *om*in*s two *sp**ts: *) Unr*stri*t** *il* uplo** (*W*-***) *llowin* **n**rous typ*s, *n* *) Improp*r **n*lin* o* *ownlo**** *il*s l***in* to *x**ution. T** *ommit s*ows *ront*n* J*v*S*ript ***n**s (`s*nitiz***t*`) *n* **min r*sour*

8.8

Basic Information

Concerned about an active attack path?

CVE-2022-2111: Unrestricted Attachment Upload

Impact

Solution

Patches

Workarounds

References

For more information

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI