Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1weGZ2LTdycjMtMnFqZ84AA0t-
copyparty vulnerable to path traversal attack
Summary
All versions before 1.8.2 have a path traversal vulnerability, allowing an attacker to download unintended files from the server.
Details
Unauthenticated users were able to retrieve any files which are accessible (according to OS-level permissions) from the copyparty process. Usually, this is all files that are readable by the OS account which is used to run copyparty.
The vulnerability did not make it possible to list the contents of folders, so an attacker needs to know the full absolute path to the file, or the relative path from where copyparty is installed.
Some methods of running copyparty (prisonparty, the nix package, and docker) had a mitigating effect, mostly reducing the attack scope to files inside copyparty volumes, and possibly the copyparty config file.
Checking for attacks
Please keep in mind that, if an attacker were to find a way to overwrite the logs, for example by discovering the password to another service with sufficient privileges, then the following approaches cannot be trusted.
if copyparty was only accessible through a reverse proxy, then all attacks would be visible in the webserver access-log as URLs which contain both .cpr/
and %2F
- nginx:
(gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E 'cpr/.*%2[^0]' | grep -vF data:image/svg
However, if copyparty was directly accessible from the internet, then any successful attacks (file retrievals) would unfortunately leave no trace. That said, it is very probable that an attacker would make at least one invalid attempt, which would become apparent in the copyparty server log, detectable with grep -aE '(Errno|Permission).*\.cpr/'
revealing the following:
- python2 example:
[IOError] [Errno 13] Permission denied: '/etc/shadow', .cpr//etc/shadow
- python3 example:
[PermissionError] [Errno 13] Permission denied: b'/etc/shadow', .cpr//etc/shadow
Providing an exact command for this approach is difficult, as it depends on how copyparty is deployed;
- if copyparty was running as a systemd service:
journalctl -am | grep -aE '(Errno|Permission).*\.cpr/'
- if copyparty was logging to a compressed file:
xz -kdc thefilename.xz | grep -aE '(Errno|Permission).*\.cpr/'
- if the copyparty log is available in a plaintext file:
grep -aE '(Errno|Permission).*\.cpr/' thefilename.txt
PoC / attack example
curl -sik http://127.0.0.1:3923/.cpr/%2Fetc%2Fpasswd
curl -sik http://127.0.0.1:3923/.cpr/..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
Permalink: https://github.com/advisories/GHSA-pxfv-7rr3-2qjgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1weGZ2LTdycjMtMnFqZ84AA0t-
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 6 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-pxfv-7rr3-2qjg, CVE-2023-37474
References:
- https://github.com/9001/copyparty/security/advisories/GHSA-pxfv-7rr3-2qjg
- https://nvd.nist.gov/vuln/detail/CVE-2023-37474
- https://github.com/9001/copyparty/commit/043e3c7dd683113e2b1c15cacb9c8e68f76513ff
- https://github.com/9001/copyparty/releases/tag/v1.8.2
- https://github.com/pypa/advisory-database/tree/main/vulns/copyparty/PYSEC-2023-127.yaml
- http://packetstormsecurity.com/files/173822/Copyparty-1.8.2-Directory-Traversal.html
- https://github.com/advisories/GHSA-pxfv-7rr3-2qjg
Blast Radius: 0.0
Affected Packages
pypi:copyparty
Dependent packages: 0Dependent repositories: 1
Downloads: 2,677 last month
Affected Version Ranges: < 1.8.2
Fixed in: 1.8.2
All affected versions: 0.2.3, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.6.0, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.8.1, 0.8.3, 0.9.0, 0.9.1, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.13, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10, 0.10.11, 0.10.12, 0.10.13, 0.10.14, 0.10.15, 0.10.16, 0.10.17, 0.10.18, 0.10.19, 0.10.20, 0.10.21, 0.10.22, 0.11.0, 0.11.1, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11, 0.11.12, 0.11.13, 0.11.14, 0.11.15, 0.11.16, 0.11.17, 0.11.18, 0.11.19, 0.11.20, 0.11.21, 0.11.22, 0.11.23, 0.11.24, 0.11.26, 0.11.27, 0.11.28, 0.11.29, 0.11.30, 0.11.31, 0.11.32, 0.11.33, 0.11.34, 0.11.35, 0.11.36, 0.11.37, 0.11.38, 0.11.39, 0.11.40, 0.11.41, 0.11.42, 0.11.43, 0.11.44, 0.11.45, 0.11.46, 0.11.47, 0.12.1, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.12.12, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.5, 0.13.6, 0.13.7, 0.13.9, 0.13.10, 0.13.11, 0.13.12, 0.13.13, 0.13.14, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.3.15, 1.3.16, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.8.0, 1.8.1
All unaffected versions: 1.8.2, 1.8.3, 1.8.4, 1.8.6, 1.8.7, 1.8.8, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9, 1.9.10, 1.9.11, 1.9.12, 1.9.13, 1.9.14, 1.9.15, 1.9.16, 1.9.17, 1.9.18, 1.9.19, 1.9.20, 1.9.21, 1.9.22, 1.9.23, 1.9.24, 1.9.25, 1.9.26, 1.9.27, 1.9.28, 1.9.29, 1.9.30, 1.9.31, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.13.0, 1.13.1