Miggo Logo
Miggo Vulnerability Database
CVE-2022-31558

CVE-2022-31558: Tooxie Shiva 0.10.0 allows absolute path traversal because Flask send_file function used unsafely

9.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-31558
GHSA ID
GHSA-qp72-96p2-g644
EPSS Score
0.62394%
CWE
CWE-22
Published
7/12/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
shivapip<= 0.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability arises from the unsafe use of Flask's send_file function in shiva-server/shiva/fileserver.py (line 81). The application constructs the absolute_path using os.path.join with a user-controlled relative_path parameter. Since os.path.join ignores previous path components when encountering an absolute path, attackers can supply paths like '/../../etc/passwd' to traverse directories. The direct use of send_file with this untrusted absolute_path enables path traversal, as confirmed by the GitHub advisory and CVE description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** tooxi*/s*iv*-s*rv*r r*pository t*rou** *.**.* on *it*u* *llows **solut* p*t* tr*v*rs*l ****us* t** *l*sk s*n*_*il* *un*tion is us** uns***ly.

Reasoning

T** vuln*r**ility *ris*s *rom t** uns*** us* o* *l*sk's s*n*_*il* *un*tion in s*iv*-s*rv*r/s*iv*/*il*s*rv*r.py (lin* **). T** *ppli**tion *onstru*ts t** **solut*_p*t* usin* os.p*t*.join wit* * us*r-*ontroll** r*l*tiv*_p*t* p*r*m*t*r. Sin** os.p*t*.jo