{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/mako--1.3.11/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Mako (\u003c= 1.3.11)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","windows"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eMako is a template library written in Python. A path traversal vulnerability, identified as CVE-2026-44307, affects Mako versions 1.3.11 and earlier when running on Windows. The vulnerability stems from inconsistencies in how Mako handles path normalization. Specifically, the \u003ccode\u003eTemplateLookup.get_template()\u003c/code\u003e function, which uses \u003ccode\u003eposixpath\u003c/code\u003e for URI normalization, differs from the \u003ccode\u003eTemplate.__init__()\u003c/code\u003e function, which uses \u003ccode\u003eos.path\u003c/code\u003e for file access and validation. This discrepancy allows attackers to bypass directory traversal checks by crafting URIs that contain backslashes. Backslashes are treated as path separators by \u003ccode\u003eos.path\u003c/code\u003e on Windows but as literal characters by \u003ccode\u003eposixpath\u003c/code\u003e, leading to incorrect validation. This vulnerability allows an attacker to load and disclose readable files outside the configured template directory if an application passes user-controlled template names or include paths to \u003ccode\u003eTemplateLookup.get_template()\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious URI containing backslash-based path traversal sequences (e.g., \u003ccode\u003e\\..\\..\\secret.txt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe application passes the crafted URI to \u003ccode\u003eTemplateLookup.get_template()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eget_template()\u003c/code\u003e strips leading forward slashes and normalizes the URI using \u003ccode\u003eposixpath.normpath()\u003c/code\u003e. Backslashes are treated as literal characters, bypassing directory traversal checks.\u003c/li\u003e\n\u003cli\u003eThe URI is passed to \u003ccode\u003eTemplate.__init__()\u003c/code\u003e for template initialization and validation.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eTemplate.__init__()\u003c/code\u003e uses \u003ccode\u003eos.path.normpath()\u003c/code\u003e to normalize the URI. On Windows, this resolves backslash traversal, converting \u003ccode\u003e\\..\\..\\secret.txt\u003c/code\u003e to \u003ccode\u003e\\secret.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003estartswith(\u0026quot;..\u0026quot;)\u003c/code\u003e check in \u003ccode\u003eTemplate.__init__()\u003c/code\u003e incorrectly passes because the normalized path \u003ccode\u003e\\secret.txt\u003c/code\u003e does not begin with \u003ccode\u003e..\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eos.path.isfile()\u003c/code\u003e is used to check for the existence of the file. On Windows, \u003ccode\u003eos.path.isfile()\u003c/code\u003e interprets backslashes as path separators, successfully resolving the path and locating the file outside the intended template directory.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully reads the contents of the file, leading to information disclosure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files on the system that the application has access to. The vulnerability affects Mako versions 1.3.11 and earlier on Windows. If the targeted file contains Mako/Python template syntax, it may also be parsed and executed as a template, potentially leading to further code execution. The primary impact is local file disclosure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Mako greater than 1.3.11 to remediate CVE-2026-44307.\u003c/li\u003e\n\u003cli\u003eSanitize user-supplied template names and include paths before passing them to \u003ccode\u003eTemplateLookup.get_template()\u003c/code\u003e to prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-mako-path-traversal/","summary":"A path traversal vulnerability exists in Mako versions 1.3.11 and earlier on Windows, allowing attackers to read arbitrary files outside the configured template directory by using backslashes in URIs to bypass directory traversal checks.","title":"Mako Template Engine Path Traversal Vulnerability on Windows","url":"https://feed.craftedsignal.io/briefs/2024-01-24-mako-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Mako (\u003c= 1.3.11)","version":"https://jsonfeed.org/version/1.1"}