GHSA-JGM9-XPFJ-4FQ6

Vulnerability from github – Published: 2022-01-21 23:20 – Updated: 2024-10-07 21:02
VLAI?
Summary
Path traversal in Onionshare
Details

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.

  • Vulnerability ID: OTF-013
  • Vulnerability type: Improper Hardening
  • Threat level: Low

Description:

The filesystem restriction could be hardened and should only allow for pre-defined subfolders.

Technical description:

The Flatpak and Snap configurations allow for read-only access on the whole home folder. The relevant lines in the configuration files are onionshare/snap/snapcraft.yaml#L20 and onionshare/flatpak/org.onionshare.OnionShare.yaml#L19 , respectively.

The encapsulation of filesystem access via these mechanisms should be restricted to pre-defined folders and not allow for access to (configuration) files outside the Onionshare-specific folders.

Sadly Snap does not allow for further restriction to specific folders and therefore cannot be further hardened. By default both frameworks disallow access to hidden folders and therefore reduce the potential impact.

Impact:

An adversary with a primitive that allows for filesystem access from the context of the Onionshare process can access sensitive files in the entire user home folder. This could lead to the leaking of sensitive data. Due to the automatic exclusion of hidden folders, the impact is reduced.

Recommendation:

  • Reduce read access in Flatpak configuration.
Severity ?
6.3 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "onionshare-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3"
            },
            {
              "fixed": "2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-19T19:28:05Z",
    "nvd_published_at": "2022-01-18T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Between September 26, 2021 and October 8, 2021, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund\u0027s [Red Team lab](https://www.opentech.fund/labs/red-team-lab/). This is an issue from that penetration test.\n\n- Vulnerability ID: OTF-013\n- Vulnerability type: Improper Hardening\n- Threat level: Low\n\n## Description:\n\nThe filesystem restriction could be hardened and should only allow for pre-defined subfolders.\n\n## Technical description:\n\nThe Flatpak and Snap configurations allow for read-only access on the whole home folder. The relevant lines in the configuration files are `onionshare/snap/snapcraft.yaml#L20` and `onionshare/flatpak/org.onionshare.OnionShare.yaml#L19` , respectively.\n\nThe encapsulation of filesystem access via these mechanisms should be restricted to pre-defined folders and not allow for access to (configuration) files outside the Onionshare-specific folders.\n\nSadly Snap does not allow for further restriction to specific folders and therefore cannot be further hardened. By default both frameworks disallow access to hidden folders and therefore reduce the potential impact.\n\n## Impact:\n\nAn adversary with a primitive that allows for filesystem access from the context of the Onionshare process can access sensitive files in the entire user home folder. This could lead to the leaking of sensitive data. Due to the automatic exclusion of hidden folders, the impact is reduced.\n\n## Recommendation:\n\n- Reduce read access in Flatpak configuration.",
  "id": "GHSA-jgm9-xpfj-4fq6",
  "modified": "2024-10-07T21:02:51Z",
  "published": "2022-01-21T23:20:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21693"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/onionshare/onionshare"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/onionshare-cli/PYSEC-2022-44.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Path traversal in Onionshare"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.