Vulners
Lucene search
py7zr 0.20.0 Directory Traversal
🗓️ 07 Dec 2022 00:00:00Reported by Matteo CosentinoType 
packetstorm🔗 packetstormsecurity.com👁 522 Views
| Reporter | Title | Published | Views | Family All 33 |
|---|---|---|---|---|
 | py7zr 0.20.0 Directory Traversal Vulnerability | 7 Dec 202200:00 | – | zdt |
 | CVE-2022-44900 | 6 Dec 202222:41 | – | circl |
 | py7zr 路径遍历漏洞 | 6 Dec 202200:00 | – | cnnvd |
 | CVE-2022-44900 | 6 Dec 202200:00 | – | cve |
 | CVE-2022-44900 | 6 Dec 202200:00 | – | cvelist |
 | [SECURITY] [DSA 5652-1] py7zr security update | 2 Apr 202418:01 | – | debian |
 | CVE-2022-44900 | 6 Dec 202200:00 | – | debiancve |
 | Debian dsa-5652 : python-py7zr-doc - security update | 2 Apr 202400:00 | – | nessus |
| Ubuntu 22.04 LTS : py7zr vulnerability (USN-7030-1) | 24 Sep 202400:00 | – | nessus |
 | py7zr directory traversal vulnerability | 6 Dec 202221:30 | – | github |
10
`CVE-2022-44900: path traversal vulnerability in py7zr
Directory traversal vulnerability in SevenZipFile.extractall() function of
the python library py7zr version 0.20.0 and earlier allow attackers to read
arbitrary files on the local machine via malicious 7z file extraction.
CVE-2022-44900 <https://www.cve.org/CVERecord?id=CVE-2022-44900>
vulnerability allows attackers to achieve arbitrary file read and arbitrary
file write. To do so, an attacker needs to create a malicious 7z archive
containing a symlink to achieve an arbitrary file read and a file with a
path traversal payload as name to achieve an arbitrary file write.
Exploiting
The script used for tests is the following:
import py7zr
import click
@click.command()
@click.argument("filename")
def main_procedure(filename):
with py7zr.SevenZipFile(filename, 'r') as archive:
archive.extractall()
main_procedure()
The vulnerabile function targeted is py7zr.SevenZipFile.extractall().
A lab setup has been built to test for vulnerabilities. Directories
structured as follow were used:
├── start_point
│ ├── archive.7z
│ └── py7zr_test.py
└── target
├── write
└── read
The start_point directory contains the script used for tests and the
malicious archive containing the path traversal payload in the form of the
filename of an archived file.
To achieve an arbitrary file read, one of the files in the archives needs
to have ../target/write set as name. The content of the file will be
written into target/write.
In a similar way, to achieve an arbitrary file read, a symlink pointing to
../target/read needs to be present in the archive. When extracted the
symlink will consist of the content of target/read.
Disclosure timeline
29/10/2022 - Maintainer was notified privately of the vulnerabilities
30/10/2022 - Response from maintainer
01/11/2022 - Release of patched version 0.20.1
01/11/2022 - CVE ID request
06/12/2022 - CVE ID obtained
06/12/2022 - Public disclosure
------------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Dec 2022 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.25015