Frappe 14.10.0 - Local File Read
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Frappe 14.10.0 - LFR
Code name
State
Public
Release date
21 nov 2022
Affected product
Frappe
Affected version(s)
Version 14.10.0
Vulnerability name
Lack of data validation - Path Traversal
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS v3.1 base score
4.3
Exploit available
Yes
CVE ID(s)
Description
Frappe version 14.10.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not correctly validate the information injected by the user in the import_file parameter.
Vulnerability
This vulnerability occurs because the application does not correctly validate the path of the import_file parameter. Thanks to this, an attacker can point to internal server files.
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-41712 to refer to this issue from now on. Disclosure policy
System Information
Version: Frappe 14.10.0
Operating System: GNU/Linux
Mitigation
An updated version of Badaso is available at the vendor page.
References
Vendor page https://github.com/frappe/frappe
Release page https://github.com/frappe/frappe/releases/tag/v14.12.0
Timeline
10 oct 2022
Vulnerability discovered
10 oct 2022
Vendor contacted
10 oct 2022
Vendor replied
11 oct 2022
Vendor confirmed
12 oct 2022
Vulnerability patched
21 nov 2022
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
