Headline
CVE-2022-41712: Frappe 14.10.0 - Local File Read | Advisories | Fluid Attacks
Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.
- Home
- Advisories
- Frappe 14.10.0 Local File Read
Summary
Name
Frappe 14.10.0 - LFR
Code name
Kiniza
Product
Frappe
Affected versions
Version 14.10.0
State
Public
Release date
2022-11-21
Vulnerability
Kind
Lack of data validation - Path Traversal
Rule
063. Lack of data validation - Path Traversal
Remote
Yes
CVSSv3 Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSSv3 Base Score
4.3
Exploit available
Yes
CVE ID(s)
CVE-2022-41712
Description
Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.
Vulnerability
This vulnerability occurs because the application does not correctly validate the path of the import_file parameter. Thanks to this, an attacker can point to internal server files.
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-41712 to refer to this issue from now on.
- https://fluidattacks.com/advisories/policy/
System Information
Version: Frappe 14.10.0
Operating System: GNU/Linux
Mitigation
An updated version of Badaso is available at the vendor page.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks’ Offensive Team.
References
Vendor page https://github.com/frappe/frappe
Release page https://github.com/frappe/frappe/releases/tag/v14.12.0
Timeline
2022-10-10
Vulnerability discovered.
2022-10-10
Vendor contacted.
2022-10-10
Vendor replied acknowledging the report.
2022-10-11
Vendor Confirmed the vulnerability.
2022-10-12
Vulnerability patched.
2022-11-21
Public Disclosure.