Skip to main content

Whoogle Search CVE-2024-22204

MEDIUM
Path Traversal (CWE-22)
2024-01-23 security-advisories@github.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jan 23, 2024 - 18:15 nvd
MEDIUM 5.3

DescriptionNVD

Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and prior have a limited file write vulnerability when the configuration options in Whoogle are enabled. The config function in app/routes.py does not validate the user-controlled name variable on line 447 and config_data variable on line 437. The name variable is insecurely concatenated in os.path.join, leading to path manipulation. The POST data from the config_data variable is saved with pickle.dump which leads to a limited file write. However, the data that is saved is earlier transformed into a dictionary and the url key value pair is added before the file is saved on the system. All in all, the issue allows us to save and overwrite files on the system that the application has permissions to, with a dictionary containing arbitrary data and the url key value, which is a limited file write. Version 0.8.4 contains a patch for this issue.

AnalysisAI

Whoogle Search is a self-hosted metasearch engine. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and prior have a limited file write vulnerability when the configuration options in Whoogle are enabled. The config function in app/routes.py does not validate the user-controlled name variable on line 447 and config_data variable on line 437. The name variable is insecurely concatenated in os.path.join, leading to path manipulation. The POST data from the config_data variable is saved with pickle.dump which leads to a limited file write. However, the data that is saved is earlier transformed into a dictionary and the url key value pair is added before the file is saved on the system. All in all, the issue allows us to save and overwrite files on the system that the application has permissions to, with a dictionary containing arbitrary data and the url key value, which is a limited file write. Version 0.8.4 contains a patch for this issue. Affected products include: Benbusby Whoogle Search. Version information: Version 0.8.4.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

Share

CVE-2024-22204 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy