GHSA-r9x7-2xmr-v8fw

Suggest an improvement
Source
https://github.com/advisories/GHSA-r9x7-2xmr-v8fw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-r9x7-2xmr-v8fw/GHSA-r9x7-2xmr-v8fw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r9x7-2xmr-v8fw
Aliases
Published
2022-09-16T17:45:28Z
Modified
2024-09-30T17:24:09.629865Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
mangadex-downloader vulnerable to unauthorized file reading
Details

Impact

When using file:<location> command and <location> is web URL location (http, https). mangadex-downloader will try to open and read a file in local disk if the content from online file is exist-as-a-file in victim computer

So far, the app only read the files and not execute it. But still, when someone reading your files without you knowing, it's very scary.

Proof of Concept (PoC)

https://www.mansuf.link/unauthorized-file-read-in-mangadex-downloader-cve-2022-36082/

Workarounds

Unfortunately, there is no workarounds to make it safe from this issue. But i suggest you double check the url before proceed to download or update to latest version ( >= 1.7.2)

Patches

Fixed in version 1.7.2. Commit patch: https://github.com/mansuf/mangadex-downloader/commit/439cc2825198ebc12b3310c95c39a8c7710c9b42

References

Affected packages

PyPI / mangadex-downloader

Package

Name
mangadex-downloader
View open source insights on deps.dev
Purl
pkg:pypi/mangadex-downloader

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.7.2

Affected versions

1.*

1.3.0
1.4.0
1.5.0
1.6.0
1.6.1
1.6.2
1.7.0
1.7.1