9.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-31558

GHSA ID

GHSA-qp72-96p2-g644

EPSS Score

0.62394%

CWE

CWE-22

Published

7/12/2022

Updated

1/27/2023

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31558

CVE-2022-31558: Tooxie Shiva 0.10.0 allows absolute path traversal because Flask send_file function used unsafely

The tooxie/shiva-server repository through 0.10.0 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-31558

CVE-2022-31558:

9.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-31558

GHSA ID

GHSA-qp72-96p2-g644

EPSS Score

0.62394%

CWE

CWE-22

Published

7/12/2022

Updated

1/27/2023

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shiva	pip	<= 0.10.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises from the unsafe use of Flask's send_file function in shiva-server/shiva/fileserver.py (line 81). The application constructs the absolute_path using os.path.join with a user-controlled relative_path parameter. Since os.path.join ignores previous path components when encountering an absolute path, attackers can supply paths like '/../../etc/passwd' to traverse directories. The direct use of send_file with this untrusted absolute_path enables path traversal, as confirmed by the GitHub advisory and CVE description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-31558: Tooxie Shiva 0.10.0 allows absolute path traversal because Flask send_file function used unsafely

CVE-2022-31558:

9.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

9.3

9.3

Basic Information

Basic Information

CVE-2022-31558: Tooxie Shiva 0.10.0 allows absolute path traversal because Flask send_file function used unsafely

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI