GHSA-FR2W-MP56-G4XP

Vulnerability from github – Published: 2022-06-17 01:16 – Updated: 2022-06-29 21:47
VLAI?
Summary
Unrestricted Attachment Upload
Details

Impact

InvenTree allows unrestricted upload of files as attachments to various database fields. Potentially dangerous files (such as HTML files containing malicious javascript) can be uploaded, and (when opened by the user) run the malicious code directly in the users browser.

image

Note that the upload of malicious files must be performed by an authenticated user account

Solution

The solution for this vulnerability is to ensure that attachment files are downloaded to the local machine before opening, rather than opening the file in the current browser context.

Patches

  • The issue is addressed in the upcoming 0.8.0 release
  • This fix will also be back-ported to the 0.7.x branch, applied to the 0.7.2 release

Workarounds

Users can alleviate risk of opening malicious files by right-clicking on the attachment link and selecting "Save link as"

image

This minimizes risk (e.g. of XSS attacks) by opening the HTML file from the users computer

References

https://huntr.dev/bounties/a0e5c68e-0f75-499b-bd7b-d935fb8c0cd1/

For more information

If you have any questions or comments about this advisory:

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "inventree"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-2111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T01:16:55Z",
    "nvd_published_at": "2022-06-17T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nInvenTree allows unrestricted upload of files as attachments to various database fields. Potentially dangerous files (such as HTML files containing malicious javascript) can be uploaded, and (when opened by the user) run the malicious code directly in the users browser.\n\n![image](https://user-images.githubusercontent.com/10080325/173549827-af2d7a5c-1359-4d68-a920-dfdd0ccc882e.png)\n\n*Note that the upload of malicious files must be performed by an authenticated user account*\n\n### Solution\n\nThe solution for this vulnerability is to ensure that attachment files are downloaded to the local machine before opening, rather than opening the file in the current browser context.\n\n### Patches\n\n- The issue is addressed in the upcoming 0.8.0 release\n- This fix will also be back-ported to the 0.7.x branch, applied to the 0.7.2 release\n\n### Workarounds\n\nUsers can alleviate risk of opening malicious files by right-clicking on the attachment link and selecting \"Save link as\"\n\n![image](https://user-images.githubusercontent.com/10080325/173550035-2de4bf01-f0d3-4be8-ac45-6fbcf66a95e7.png)\n\nThis minimizes risk (e.g. of XSS attacks) by opening the HTML file from the users computer\n\n### References\n\nhttps://huntr.dev/bounties/a0e5c68e-0f75-499b-bd7b-d935fb8c0cd1/\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [github](http://github.com/inventree/inventree)\n* Email us at [security@inventree.org](mailto:security@inventree.org)\n",
  "id": "GHSA-fr2w-mp56-g4xp",
  "modified": "2022-06-29T21:47:25Z",
  "published": "2022-06-17T01:16:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-fr2w-mp56-g4xp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2111"
    },
    {
      "type": "WEB",
      "url": "https://github.com/inventree/inventree/commit/26bf51c20a1c9b3130ac5dd2e17649bece5ff84f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/inventree/inventree-python"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/a0e5c68e-0f75-499b-bd7b-d935fb8c0cd1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unrestricted Attachment Upload"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.