Miggo Logo
Miggo Vulnerability Database
CVE-2023-52289

CVE-2023-52289: Path traversal in flaskcode

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-52289
GHSA ID
GHSA-v3rg-qm46-xrg9
EPSS Score
0.6277%
CWE
CWE-22
Published
1/13/2024
Updated
1/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
flaskcodepip<= 0.0.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions exploitation via POST requests to /update-resource-data/<file_path> from views.py. In Flask applications, route handlers are implemented as view functions. The path traversal occurs because the file_path parameter is: 1) Taken directly from URL path parameter 2) Used to construct filesystem paths 3) Lacks proper validation/sanitization to prevent directory traversal 4) Combined with write operations. This matches the CWE-22 pattern of improper path limitation. The confidence is high as the advisory specifically identifies both the vulnerable endpoint location (views.py) and attack pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** *l*sk*o** p**k*** t*rou** *.*.* *or Pyt*on. *n un*ut**nti**t** *ir**tory tr*v*rs*l, *xploit**l* wit* * POST r*qu*st to * /up**t*-r*sour**-**t*/<*il*_p*t*> URI (*rom vi*ws.py), *llows *tt**k*rs to writ* to *r*itr*ry *il*

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions *xploit*tion vi* POST r*qu*sts to /up**t*-r*sour**-**t*/<*il*_p*t*> *rom vi*ws.py. In *l*sk *ppli**tions, rout* **n*l*rs *r* impl*m*nt** *s vi*w *un*tions. T** p*t* tr*v*rs*l o**urs ****us* t** *il*_p