EIQ-2020-0016#

ID	EIQ-2020-0016
CVE	-
Description	lxml can enable arbitrary file write
Date	07 Dec 2020
Severity	2 - MEDIUM
CVSSv3 score	5.3 (Snyk score)
Status	✅ 2.9.0
Assessment	lxml versions 4.3.5 and earlier can enable arbitrary file write through path traversal. URL parsing may wrongly interpret the `%` URL escape character in file paths. When parsing file paths, this could lead to enabling writing to a different file or directory than the intended one. By exploiting this vulnerability, potential attackers can break out of the web server’s root directory, and they may be able to access files in other directories. They might be able to read and write to restricted files on the targeted machine. To exploit the vulnerability, a potential attacker would need: Sign-in access to the platform as a non-admin user. A valid API token, and the ability to send requests to the platform API endpoints. At least the modify-entities permission to write and to modify STIX XML entities.
Mitigation	The issue is fixed in lxml versions 4.4.0 and later. EclecticIQ Platform 2.9.0 ships with lxml version 4.6.2. To mitigate this vulnerability: Do not parse URL paths from unstrusted sources. Reject file paths containing the % character, and file paths containing the `../` pattern.
Affected versions	2.8.0 and earlier.
Notes	For more information, see: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) GitHub commit with the fix lxml version 4.6.2