CVE-2022-31558: Tooxie Shiva 0.10.0 allows absolute path traversal because Flask send_file function used unsafely
9.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.62394%
CWE
Published
7/12/2022
Updated
1/27/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| shiva | pip | <= 0.10.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability arises from the unsafe use of Flask's send_file function in shiva-server/shiva/fileserver.py (line 81). The application constructs the absolute_path using os.path.join with a user-controlled relative_path parameter. Since os.path.join ignores previous path components when encountering an absolute path, attackers can supply paths like '/../../etc/passwd' to traverse directories. The direct use of send_file with this untrusted absolute_path enables path traversal, as confirmed by the GitHub advisory and CVE description.