logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-32309 pymdown-extensions

Package

Manager: pip
Name: pymdown-extensions
Vulnerable Version: >=1.5 <10.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.045 pctl0.88693

Details

Any file can be included with the pymdown-snippets extension ### Summary Arbitrary file read when using include file syntax. ### Details By using the syntax `--8<--"/etc/passwd"` or `--8<--"/proc/self/environ"` the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths: `--8<-- "../../../../etc/passwd"`. Within the Snippets extension, there exists a `base_path` option but the implementation is vulnerable to Directory Traversal. The vulnerable section exists in `get_snippet_path(self, path)` lines 155 to 174 in snippets.py. ``` base = "docs" path = "/etc/passwd" filename = os.path.join(base,path) # Filename is now /etc/passwd ``` ### PoC ```py import markdown payload = "--8<-- \"/etc/passwd\"" html = markdown.markdown(payload, extensions=['pymdownx.snippets']) print(html) ``` ### Impact Any readable file on the host where the plugin is executing may have its content exposed. This can impact any use of Snippets that exposes the use of Snippets to external users. It is never recommended to use Snippets to process user-facing, dynamic content. It is designed to process known content on the backend under the control of the host, but if someone were to accidentally enable it for user-facing content, undesired information could be exposed. ### Suggestion Specified snippets should be restricted to the configured, specified base paths as a safe default. Allowing relative or absolute paths that escape the specified base paths would need to be behind a feature switch that must be opt-in and would be at the developer's own risk.

Metadata

Created: 2023-05-15T20:50:23Z
Modified: 2023-08-24T20:43:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-jh85-wwv9-24hv/GHSA-jh85-wwv9-24hv.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-jh85-wwv9-24hv
Finding: F063
Auto approve: 1