CVE-2022-31571 The akashtalole/python-flask-restful-api repository through 2019-09-16 uses unsafe Flask send_file function to achieve path traversal.

CVE-2022-31571 The akashtalole/python-flask-restful-api repository through 2019-09-16 uses unsafe Flask send_file function to achieve path traversal.

In most applications, absolute paths are considered secure because they are typically verified before they are used. The Flask RESTful API allows the send_file function to be used unsafely. This means that any file on the server can be sent as a request body and therefore absolute path traversal can take place. This is demonstrated in the akashtalole/python-flask-restful-api GitHub repository through 2019-09-16 where every request (e.g., POST, PUT) can send a different file with an absolute file path.

Scenario

You are using a Flask RESTful API to create and store content in your database. You have an endpoint which stores the content of a file in the database.

CVE-2023-31572

The Flask RESTful API allows the send_file function to be used unsafely. This means that any file on the server can be sent as a request body and therefore absolute path traversal can take place. This is demonstrated in the akashtalole/python-flask-restful-api GitHub repository through 2019-09-16 where every request (e.g., POST, PUT) can send a different file with an absolute file path.

Step 1: Check the API endpoints

The first step to following this vulnerability is to check the endpoints of the application. The default endpoint for these APIs should be /api/v1/functions/send_file. This endpoint requires a filename parameter, which will be used as the request body when sending a file. In order to determine if this endpoint is vulnerable, you can send a POST request with no parameters and observe what happens. If the request is successful and a response with an HTTP 200 status code is returned, then it will clearly show that absolute path traversal is possible through send_file function.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe