Flask-AppBuilder, Path Traversal Vulnerability, CVE-2024-43389 (Critical)

Listen to this Post

This vulnerability exploits the behavior of Python’s `os.path.join()` function within Flask-AppBuilder’s file upload logic. When the non-default configuration options `UPLOAD_DIR` is set and `UPLOAD_KEEP_FILENAME=True` are both enabled, the application constructs a file path by joining the intended upload directory with the user-supplied filename. If an attacker submits a filename beginning with a forward slash (e.g., /etc/passwd), `os.path.join()` discards the preceding `UPLOAD_DIR` path component entirely. This results in the file being written to the absolute path specified by the attacker, enabling arbitrary file write to any location the application process can access.

dailycve

Platform: Flask-AppBuilder
Version: <0.0.22
Vulnerability: Path Traversal
Severity: Critical
date: 2024

Prediction: Patch released 2024

What Undercode Say:

Simulating the vulnerable path join
python3 -c "import os; print(os.path.join('/app/uploads', '/etc/shadow'))"
Example of malicious upload request
malicious_filename = "/etc/cron.d/exploit"
When UPLOAD_KEEP_FILENAME=True, the path becomes:
os.path.join(UPLOAD_DIR, malicious_filename) -> /etc/cron.d/exploit

How Exploit:

Attacker crafts a multipart file upload request with a filename parameter containing an absolute path (e.g., `../../../../etc/passwd` or /etc/passwd). The application, with the vulnerable configuration, saves the file contents to the attacker-specified location instead of the intended upload directory.

Protection from this CVE:

Upgrade to version 0.0.22. If upgrade is not possible, do not set `UPLOAD_KEEP_FILENAME=True` in the configuration. Implement strict input validation on uploaded filenames, sanitizing path separators.

Impact:

Arbitrary File Write leading to Remote Code Execution, system file corruption, or data theft.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top