[MAVEN:GHSA-4MMH-5VW7-RGVJ] Venice vulnerable to Partial Path Traversal issue within the functions `load-file` and `load-resource`

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

Impact

A partial path traversal issue exists within the functions load-file and load-resource. These functions can be limited to load files from a list of load paths.

Assuming Venice has been configured with the load paths: [ "/Users/foo/resources" ]

When passing relative paths to these two vulnerable functions everything is fine:
(load-resource "test.png") => loads the file "/Users/foo/resources/test.png"
(load-resource "../resources-alt/test.png") => rejected, outside the load path

When passing absolute paths to these two vulnerable functions Venice may return files outside the configured load paths:
(load-resource "/Users/foo/resources/test.png") => loads the file "/Users/foo/resources/test.png"
(load-resource "/Users/foo/resources-alt/test.png") => loads the file "/Users/foo/resources-alt/test.png" !!!
The latter call suffers from the Partial Path Traversal vulnerability.

This issue’s scope is limited to absolute paths whose name prefix matches a load path. E.g. for a load-path "/Users/foo/resources", the actor can cause loading a resource also from "/Users/foo/resources-alt", but not from "/Users/foo/images".

Versions of Venice before and including v1.10.16 are affected by this issue.

Patches

Upgrade to Venice >= 1.10.17, if you are on a version < 1.10.17

Workarounds

If you cannot upgrade the library, you can control the functions that can be used in Venice with a sandbox. If it is appropriate, the functions load-file and load-resource can be blacklisted in the sandbox.

References

For more information

If you have any questions or comments about this advisory:
* Open an issue in GitHub Venice
* Email us at juerg.ch

Credits

I want to publicly recognize the contribution of Jonathan Leitschuh for reporting this issue.

Package	Affected Version
pkg:maven/com.github.jlangch/venice	<= 1.10.16

Package	Fixed Version
pkg:maven/com.github.jlangch/venice	= 1.10.17

ID: MAVEN:GHSA-4MMH-5VW7-RGVJ
Severity: moderate
URL: https://github.com/advisories/GHSA-4mmh-5vw7-rgvj
Published: 2022-08-18T19:07:58
(2 years ago)
Modified: 2023-01-30T05:07:00
(19 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://github.com/jlangch/venice/security/advisories/GHSA-4mmh-5vw7-rgvj
			https://nvd.nist.gov/vuln/detail/CVE-2022-36007
			https://github.com/jlangch/venice/commit/215ae91bb964013b0a2d70718a692832d561ae0a
			https://github.com/jlangch/venice/commit/c942c73136333bc493050910f171a48e6f575b23
			https://github.com/jlangch/venice/releases/tag/v1.10.17
			https://github.com/advisories/GHSA-4mmh-5vw7-rgvj

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/com.github.jlangch/venice	com.github.jlangch	venice	<= 1.10.16
Fixed	pkg:maven/com.github.jlangch/venice	com.github.jlangch	venice	= 1.10.17

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date