Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mcjJ3LW1wNTYtZzR4cM4AArtJ
Unrestricted Attachment Upload
Impact
InvenTree allows unrestricted upload of files as attachments to various database fields. Potentially dangerous files (such as HTML files containing malicious javascript) can be uploaded, and (when opened by the user) run the malicious code directly in the users browser.
Note that the upload of malicious files must be performed by an authenticated user account
Solution
The solution for this vulnerability is to ensure that attachment files are downloaded to the local machine before opening, rather than opening the file in the current browser context.
Patches
- The issue is addressed in the upcoming 0.8.0 release
- This fix will also be back-ported to the 0.7.x branch, applied to the 0.7.2 release
Workarounds
Users can alleviate risk of opening malicious files by right-clicking on the attachment link and selecting "Save link as"
This minimizes risk (e.g. of XSS attacks) by opening the HTML file from the users computer
References
https://huntr.dev/bounties/a0e5c68e-0f75-499b-bd7b-d935fb8c0cd1/
For more information
If you have any questions or comments about this advisory:
- Open an issue in github
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mcjJ3LW1wNTYtZzR4cM4AArtJ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-fr2w-mp56-g4xp, CVE-2022-2111
References:
- https://github.com/inventree/InvenTree/security/advisories/GHSA-fr2w-mp56-g4xp
- https://nvd.nist.gov/vuln/detail/CVE-2022-2111
- https://github.com/inventree/inventree/commit/26bf51c20a1c9b3130ac5dd2e17649bece5ff84f
- https://huntr.dev/bounties/a0e5c68e-0f75-499b-bd7b-d935fb8c0cd1
- https://github.com/advisories/GHSA-fr2w-mp56-g4xp
Blast Radius: 6.2
Affected Packages
pypi:inventree
Dependent packages: 1Dependent repositories: 5
Downloads: 890 last month
Affected Version Ranges: < 0.7.2
Fixed in: 0.7.2
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.4, 0.3.1, 0.3.2, 0.4.4, 0.6.0, 0.6.1, 0.7.0, 0.7.1
All unaffected versions: 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.13.2, 0.13.3