Miggo Logo

CVE-2022-21693: Path traversal in Onionshare

6.3

CVSS Score
3.1

Basic Information

EPSS Score
0.56775%
Published
1/21/2022
Updated
10/7/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
onionshare-clipip>= 2.3, < 2.52.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper filesystem access configurations in Flatpak and Snap packaging files (snapcraft.yaml and org.onionshare.OnionShare.yaml), not from specific code functions. These configurations granted broad read access to the entire home directory. While the technical description references specific lines in these YAML files, these are declarative permissions configurations rather than executable functions. The advisory does not identify any vulnerable application code functions (e.g., path sanitization routines or file handling implementations) - the core issue lies in packaging security policies. Without access to commit diffs or code changes demonstrating vulnerable functions, we cannot confidently identify specific code functions responsible for the misconfiguration.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**tw**n S*pt*m**r **, **** *n* O*to**r *, ****, [R**i**lly Op*n S**urity](*ttps://www.r**i**llyop*ns**urity.*om/) *on*u*t** * p*n*tr*tion t*st o* OnionS**r* *.*, *un*** *y t** Op*n T***nolo*y *un*'s [R** T**m l**](*ttps://www.op*nt***.*un*/l**s/r**-t

Reasoning

T** vuln*r**ility st*ms *rom improp*r *il*syst*m ****ss *on*i*ur*tions in *l*tp*k *n* Sn*p p**k**in* *il*s (`sn*p*r**t.y*ml` *n* `or*.onions**r*.OnionS**r*.y*ml`), not *rom sp**i*i* *o** *un*tions. T**s* *on*i*ur*tions *r*nt** *ro** r*** ****ss to t*