CVE-2022-36065

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Sep 6, 2022 / Updated: 26mo ago

010
CVSS 7.5EPSS 0.11%High
CVE info copied to clipboard

GrowthBook is an open-source platform for feature flagging and A/B testing. With some self-hosted configurations in versions prior to 2022-08-29, attackers can register new accounts and upload files to arbitrary directories within the container. If the attacker uploads a Python script to the right location, they can execute arbitrary code within the container. To be affected, ALL of the following must be true: Self-hosted deployment (GrowthBook Cloud is unaffected); using local file uploads (as opposed to S3 or Google Cloud Storage); NODE_ENV set to a non-production value and JWT_SECRET set to an easily guessable string like `dev`. This issue is patched in commit 1a5edff8786d141161bf880c2fd9ccbe2850a264 (2022-08-29). As a workaround, set `JWT_SECRET` environment variable to a long random string. This will stop arbitrary file uploads, but the only way to stop attackers from registering accounts is by updating to the latest build.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2022-36065. See article

Sep 6, 2022 at 10:00 PM / twitter.com
EPSS

EPSS Score was set to: 0.11% (Percentile: 43.7%)

Sep 16, 2023 at 10:58 PM
Static CVE Timeline Graph

Affected Systems

Growthbook/growthbook
+null more

Patches

github.com
+null more

Links to Mitre Att&cks

T1574.010: Services File Permissions Weakness
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

News

CVE-2022-36065 (growthbook)
To be affected, ALL of the following must be true: Self-hosted deployment (GrowthBook Cloud is unaffected); using local file uploads (as opposed to S3 or Google Cloud Storage); NODE_ENV set to a non-production value and JWT_SECRET set to an easily guessable string like `dev`. With some self-hosted configurations in versions prior to 2022-08-29, attackers can register new accounts and upload files to arbitrary directories within the container.
CVE-2022-36065 | GrowthBook prior 2022-08-29 path traversal (GHSA-j24q-55xh-wm4r)
A vulnerability has been found in GrowthBook and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to path traversal: '../filedir'. This vulnerability is known as CVE-2022-36065 . The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2022-36065
Gravedad: None Publicado: 06/09/2022 Last revised: 06/09/2022 Descripción: *** Pendiente de traducción *** GrowthBook is an open-source platform for feature flagging and A/B testing. With some self-hosted configurations in versions prior to 2022-08-29, attackers can register new accounts and upload files to arbitrary directories within the container. If the attacker uploads a Python script to the right location, they can execute arbitrary code within the container. To be affected, ALL of the following must be true: Self-hosted deployment (GrowthBook Cloud is unaffected); using local file uploads (as opposed to S3 or Google Cloud Storage); NODE_ENV set to a non-production value and JWT_SECRET set to an easily guessable string like `dev`. This issue is patched in commit 1a5edff8786d141161bf880c2fd9ccbe2850a264 (2022-08-29).
🚨 NEW: CVE-2022-36065 🚨 GrowthBook is an open-source platform for feature flagging and A/B testing. With some self-hosted configurations in versions prior to 2022-08-29, attackers can register new accounts and uplo... (click for more) https://nvd.nist.gov/vuln/detail/CVE-2022-36065
🚨 NEW: CVE-2022-36065 🚨 GrowthBook is an open-source platform for feature flagging and A/B testing. With some self-hosted configurations in versions prior to 2022-08-29, attackers can register new accounts and uplo... (click for more) nvd.nist.gov/vuln/detail/CVE…
CVE-2022-36065
Severity Not Scored Description GrowthBook is an open-source platform for feature flagging and A/B testing. With some self-hosted configurations in versions prior to 2022-08-29, attackers can register new accounts and upload files to arbitrary directories within the container. If the attacker uploads a Python script to the right location, they can execute arbitrary code within the container. To be affected, ALL of the following must be true: Self-hosted deployment (GrowthBook Cloud is unaffected); using local file uploads (as opposed to S3 or Google Cloud Storage); NODE_ENV set to a non-production value and JWT_SECRET set to an easily guessable string like `dev`. This issue is patched in commit 1a5edff8786d141161bf880c2fd9ccbe2850a264 (2022-08-29). As a workaround, set `JWT_SECRET` environment variable to a long random string. This will stop arbitrary file uploads, but the only way to stop attackers from registering accounts is by updating to the latest build. Read more at https://www.tenable.com/cve/CVE-2022-36065
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI