GHSA-4mmh-5vw7-rgvj

Suggest an improvement
Source
https://github.com/advisories/GHSA-4mmh-5vw7-rgvj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-4mmh-5vw7-rgvj/GHSA-4mmh-5vw7-rgvj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4mmh-5vw7-rgvj
Aliases
Published
2022-08-18T19:07:58Z
Modified
2023-11-08T04:09:56.951434Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N CVSS Calculator
Summary
Venice vulnerable to Partial Path Traversal issue within the functions `load-file` and `load-resource`
Details

Impact

A partial path traversal issue exists within the functions load-file and load-resource. These functions can be limited to load files from a list of load paths.

Assuming Venice has been configured with the load paths: [ "/Users/foo/resources" ]

When passing relative paths to these two vulnerable functions everything is fine: (load-resource "test.png") => loads the file "/Users/foo/resources/test.png" (load-resource "../resources-alt/test.png") => rejected, outside the load path

When passing absolute paths to these two vulnerable functions Venice may return files outside the configured load paths: (load-resource "/Users/foo/resources/test.png") => loads the file "/Users/foo/resources/test.png" (load-resource "/Users/foo/resources-alt/test.png") => loads the file "/Users/foo/resources-alt/test.png" !!! The latter call suffers from the Partial Path Traversal vulnerability.

This issue’s scope is limited to absolute paths whose name prefix matches a load path. E.g. for a load-path "/Users/foo/resources", the actor can cause loading a resource also from "/Users/foo/resources-alt", but not from "/Users/foo/images".

Versions of Venice before and including v1.10.16 are affected by this issue.

Patches

Upgrade to Venice >= 1.10.17, if you are on a version < 1.10.17

Workarounds

If you cannot upgrade the library, you can control the functions that can be used in Venice with a sandbox. If it is appropriate, the functions load-file and load-resource can be blacklisted in the sandbox.

References

For more information

If you have any questions or comments about this advisory: * Open an issue in GitHub Venice * Email us at juerg.ch

Credits

I want to publicly recognize the contribution of Jonathan Leitschuh for reporting this issue.

Database specific 
{
    "nvd_published_at": "2022-08-15T11:21:00Z",
    "github_reviewed_at": "2022-08-18T19:07:58Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Maven / com.github.jlangch:venice

Package

Name
com.github.jlangch:venice
View open source insights on deps.dev
Purl
pkg:maven/com.github.jlangch/venice

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.17

Affected versions

0.*

0.4.0
0.5.0
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.8
0.9.9
0.9.10
0.9.11
0.9.12

1.*

1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.3.2
1.3.4
1.3.5
1.3.6
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.5.10
1.5.11
1.6.0
1.6.1
1.6.2
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.17
1.7.18
1.7.19
1.7.20
1.7.21
1.7.22
1.7.23
1.7.24
1.7.25
1.7.26
1.7.27
1.7.28
1.7.29
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.6
1.8.7
1.8.8
1.8.9
1.8.10
1.8.11
1.8.12
1.8.13
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.9.8
1.9.9
1.9.10
1.9.11
1.9.12
1.9.13
1.9.14
1.9.15
1.9.16
1.9.17
1.9.18
1.9.19
1.9.20
1.9.21
1.9.22
1.9.23
1.9.24
1.9.25
1.9.26
1.9.27
1.9.28
1.9.29
1.9.30
1.9.31
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.10.5
1.10.6
1.10.7
1.10.8
1.10.9
1.10.10
1.10.11
1.10.12
1.10.13
1.10.14
1.10.15
1.10.16

Database specific 

{
    "last_known_affected_version_range": "<= 1.10.16"
}