Miggo Logo
Miggo Vulnerability Database
CVE-2022-41547

CVE-2022-41547: MobSF allows attackers to read arbitrary files via a crafted HTTP request

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-41547
GHSA ID
GHSA-f42p-vc8p-7x54
EPSS Score
0.86236%
CWE
-
Published
10/18/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mobsfpip< 0.9.30.9.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper input validation in the ViewSource function. The commit b9cdd1f fixed the regex pattern to ^[0-9a-f]{32}$ in StaticAnalyzer/views.py, which directly addresses the LFI vector. The advisory explicitly mentions StaticAnalyzer/views.py as the vulnerable component, and the GitHub PR #166 confirms the ViewSource function was the attack surface for path traversal via MD5 parameter manipulation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mo*il* S**urity *r*m*work (Mo*S*) v*.*.* *n* **low w*s *is*ov*r** to *ont*in * lo**l *il* in*lusion (L*I) vuln*r**ility in t** `St*ti**n*lyz*r/vi*ws.py` s*ript. T*is vuln*r**ility *llows *tt**k*rs to r*** *r*itr*ry *il*s vi* * *r**t** *TTP r*qu*st.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r input `v*li**tion` in t** `Vi*wSour**` *un*tion. T** *ommit ******* *ix** t** r***x p*tt*rn to ^[*-**-*]{**}$ in `St*ti**n*lyz*r/vi*ws.py`, w*i** *ir**tly ***r*ss*s t** L*I v**tor. T** **visory *xpli*itly m*nti