6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-21693

GHSA ID

GHSA-jgm9-xpfj-4fq6

EPSS Score

0.56775%

CWE

CWE-22

Published

1/21/2022

Updated

10/7/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-21693

CVE-2022-21693: Path traversal in Onionshare

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.

Vulnerability ID: OTF-013
Vulnerability type: Improper Hardening
Threat level: Low

Description:

The filesystem restriction could be hardened and should only allow for pre-defined subfolders.

Technical description:

The Flatpak and Snap configurations allow for read-only access on the whole home folder. The relevant lines in the configuration files are onionshare/snap/snapcraft.yaml#L20 and onionshare/flatpak/org.onionshare.OnionShare.yaml#L19 , respectively.

The encapsulation of filesystem access via these mechanisms should be restricted to pre-defined folders and not allow for access to (configuration) files outside the Onionshare-specific folders.

Sadly Snap does not allow for further restriction to specific folders and therefore cannot be further hardened. By default both frameworks disallow access to hidden folders and therefore reduce the potential impact.

Impact:

An adversary with a primitive that allows for filesystem access from the context of the Onionshare process can access sensitive files in the entire user home folder. This could lead to the leaking of sensitive data. Due to the automatic exclusion of hidden folders, the impact is reduced.

Recommendation:

Reduce read access in Flatpak configuration.

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-21693

GHSA ID

GHSA-jgm9-xpfj-4fq6

EPSS Score

0.56775%

CWE

CWE-22

Published

1/21/2022

Updated

10/7/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
onionshare-cli	pip	>= 2.3, < 2.5	2.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper filesystem access configurations in Flatpak and Snap packaging files (snapcraft.yaml and org.onionshare.OnionShare.yaml), not from specific code functions. These configurations granted broad read access to the entire home directory. While the technical description references specific lines in these YAML files, these are declarative permissions configurations rather than executable functions. The advisory does not identify any vulnerable application code functions (e.g., path sanitization routines or file handling implementations) - the core issue lies in packaging security policies. Without access to commit diffs or code changes demonstrating vulnerable functions, we cannot confidently identify specific code functions responsible for the misconfiguration.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**tw**n S*pt*m**r **, **** *n* O*to**r *, ****, [R**i**lly Op*n S**urity](*ttps://www.r**i**llyop*ns**urity.*om/) *on*u*t** * p*n*tr*tion t*st o* OnionS**r* *.*, *un*** *y t** Op*n T***nolo*y *un*'s [R** T**m l**](*ttps://www.op*nt***.*un*/l**s/r**-t

Reasoning

T** vuln*r**ility st*ms *rom improp*r *il*syst*m ****ss *on*i*ur*tions in *l*tp*k *n* Sn*p p**k**in* *il*s (`sn*p*r**t.y*ml` *n* `or*.onions**r*.OnionS**r*.y*ml`), not *rom sp**i*i* *o** *un*tions. T**s* *on*i*ur*tions *r*nt** *ro** r*** ****ss to t*

6.3

Basic Information

Concerned about an active attack path?

CVE-2022-21693: Path traversal in Onionshare

Description:

Technical description:

Impact:

Recommendation:

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI