Frappe 14.10.0 - Local File Read

Summary

NameFrappe 14.10.0 - LFR
Code nameKiniza
ProductFrappe
Affected versionsVersion 14.10.0
StatePublic
Release date2022-11-21

Vulnerability

KindLack of data validation - Path Traversal
Rule063. Lack of data validation - Path Traversal
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSSv3 Base Score4.3
Exploit availableYes
CVE ID(s)CVE-2022-41712

Description

Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.

Vulnerability

This vulnerability occurs because the application does not correctly validate the path of the import_file parameter. Thanks to this, an attacker can point to internal server files.

Evidence of exploitation

LFR-Frappe.png

LFR-Frappe.gif

Our security policy

We have reserved the CVE-2022-41712 to refer to this issue from now on.

System Information

  • Version: Frappe 14.10.0

  • Operating System: GNU/Linux

Mitigation

An updated version of Badaso is available at the vendor page.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/frappe/frappe

Release page https://github.com/frappe/frappe/releases/tag/v14.12.0

Timeline

Time-lapse-logo

2022-10-10

Vulnerability discovered.

Time-lapse-logo

2022-10-10

Vendor contacted.

Time-lapse-logo

2022-10-10

Vendor replied acknowledging the report.

Time-lapse-logo

2022-10-11

Vendor Confirmed the vulnerability.

Time-lapse-logo

2022-10-12

Vulnerability patched.

Time-lapse-logo

2022-11-21

Public Disclosure.