EIQ-2020-0016


ID

EIQ-2020-0016

CVE

-

Description

lxml can enable arbitrary file write

Date

07 Dec 2020

Severity

2 - MEDIUM

CVSSv3 score

5.3
(Snyk score)

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.9.0

Assessment

lxml versions 4.3.5 and earlier can enable arbitrary file write through path traversal.

URL parsing may wrongly interpret the % URL escape character in file paths.
When parsing file paths, this could lead to enabling writing to a different file or directory than the intended one.

By exploiting this vulnerability, potential attackers can break out of the web server's root directory, and they may be able to access files in other directories.
They might be able to read and write to restricted files on the targeted machine.

To exploit the vulnerability, a potential attacker would need:

  • Sign-in access to the platform as a non-admin user.

  • A valid API token, and the ability to send requests to the platform API endpoints.

  • At least the modify-entities permission to write and to modify STIX XML entities.

Mitigation

The issue is fixed in lxml versions 4.4.0 and later.
EclecticIQ Platform 2.9.0 ships with lxml version 4.6.2.

To mitigate this vulnerability:

  • Do not parse URL paths from unstrusted sources.

  • Reject file paths containing the % character, and file paths containing the ../ pattern.

Affected versions

2.8.0 and earlier.

Notes

For more information, see:

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg    This section is not visible to users accessing the public docs, it's for internal reference   images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg

See also:

< Back to all security issues and mitigation actions

In release notes 2.9.0