CVE-2022-23522

CVE-2022-23522 is a medium-severity path traversal vulnerability in mindsdb (pip), affecting versions < 22.11.4.3. It is fixed in 22.11.4.3.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Arbitrary file write in mindsdb when Extracting Tarballs retrieved from a remote location

An unsafe extraction is being performed using shutil.unpack_archive() from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a TarSlip or a ZipSlip variant.

Details

Unpacking files using the high-level function shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path remained within the intended destination directory may cause files to be overwritten outside the destination directory.

As can be seen in the vulnerable snippet code source, an archive is being retrieved using the download_file() function from a remote location which is a user-provided permanent storage bucket s3. Immediately after being retrieved, the tarball is unsafely unpacked using the function shutil.unpack_archive().

The vulnerable code is L128..L129 in fs.py file.

    def __init__(self):
        super().__init__()
        if 's3_credentials' in self.config['permanent_storage']:
            self.s3 = boto3.client('s3', **self.config['permanent_storage']['s3_credentials'])
        else:
            self.s3 = boto3.client('s3')
       
        # User provided remote storage!
        self.bucket = self.config['permanent_storage']['bucket'] 

    def get(self, local_name, base_dir):
        remote_name = local_name
        remote_ziped_name = f'{remote_name}.tar.gz'
        local_ziped_name = f'{local_name}.tar.gz'
        local_ziped_path = os.path.join(base_dir, local_ziped_name)
        os.makedirs(base_dir, exist_ok=True)
        
        # Retrieve a potentially malicious tarball
        self.s3.download_file(self.bucket, remote_ziped_name, local_ziped_path)

        # Perform an unsafe extraction
        shutil.unpack_archive(local_ziped_path, base_dir)

        os.system(f'chmod -R 777 {base_dir}')
        os.remove(local_ziped_path)

PoC

The following PoC is provided for illustration purposes only. It showcases the risk of extracting a non-harmless text file sim4n6.txt to one of the parent locations rather than the intended current folder.

> tar --list -f archive.tar
tar: Removing leading "../../../" from member names
../../../sim4n6.txt

> python3 
Python 3.10.6 (main, Nov  2 2022, 18:53:38) [GCC 11.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import shutil
>>> shutil.unpack_archive("archive.tar")
>>> exit()

> test -f ../../../sim4n6.txt && echo "sim4n6.txt exists"
sim4n6.txt exists

Attack Scenario

An attacker could craft a malicious tarball with a filename path, such as ../../../../../../../../etc/passwd, and then serve the archive remotely using a personal bucket s3, thus, retrieve the tarball through mindsdb and overwrite the system files of the hosting server.

Mitigation

Potential mitigation could be to:

  • Use a safer module, like zipfile.
  • Validate the location of the extracted files and discard those with malicious paths such as relative path .. or absolute path such as /etc/password.
  • Perform a checksum verification for the retrieved archive, but hard-coding the hashes may be cumbersome and difficult to manage.

Impact

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2022-23522 has a CVSS score of 8.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (22.11.4.3); upgrading removes the vulnerable code path.

Affected versions

mindsdb (< 22.11.4.3)

Security releases

mindsdb → 22.11.4.3 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade mindsdb to 22.11.4.3 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2022-23522? CVE-2022-23522 is a medium-severity path traversal vulnerability in mindsdb (pip), affecting versions < 22.11.4.3. It is fixed in 22.11.4.3. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2022-23522? CVE-2022-23522 has a CVSS score of 8.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of mindsdb are affected by CVE-2022-23522? mindsdb (pip) versions < 22.11.4.3 is affected.
  4. Is there a fix for CVE-2022-23522? Yes. CVE-2022-23522 is fixed in 22.11.4.3. Upgrade to this version or later.
  5. Is CVE-2022-23522 exploitable, and should I be worried? Whether CVE-2022-23522 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2022-23522 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2022-23522? Upgrade mindsdb to 22.11.4.3 or later.

Other vulnerabilities in mindsdb

Stop the waste.
Protect your environment with Kodem.