{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/pygeoapi/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pygeoapi"],"_cs_severities":["high"],"_cs_tags":["path-traversal","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in pygeoapi versions 0.23.0, 0.23.1, and 0.23.2, specifically within the STAC (Spatially Aware Catalog) FileSystemProvider plugin. This flaw allows unauthenticated attackers to access unauthorized directories by manipulating URL paths, particularly when pygeoapi is deployed without a proxy or web front end that normalizes URLs containing \u003ccode\u003e..\u003c/code\u003e sequences. The vulnerability arises from improper handling of raw string path concatenation, making systems with STAC collection-based resources in their configuration susceptible to unauthorized file system access. This issue was resolved in version 0.23.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious HTTP request targeting a pygeoapi instance configured with a STAC collection resource.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a URL containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to navigate the file system.\u003c/li\u003e\n\u003cli\u003epygeoapi\u0026rsquo;s STAC FileSystemProvider plugin receives the request and attempts to resolve the file path.\u003c/li\u003e\n\u003cli\u003eDue to the raw string path concatenation vulnerability, the path traversal sequences are not properly sanitized.\u003c/li\u003e\n\u003cli\u003eThe application constructs an incorrect file path, allowing access to files and directories outside of the intended STAC collection directory.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive information or configuration files located in the exposed directories.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the exposed information to further compromise the system.\u003c/li\u003e\n\u003cli\u003eThe final objective is unauthorized access to sensitive data and potentially system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe path traversal vulnerability in pygeoapi allows unauthorized access to directories and files, potentially exposing sensitive data, configuration files, or even source code. The impact depends on the data stored in the exposed directories. Successful exploitation can lead to information disclosure, privilege escalation, and further system compromise. Organizations using vulnerable pygeoapi versions are at risk until they upgrade to version 0.23.3 or implement the recommended workaround.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to pygeoapi version 0.23.3 to patch the vulnerability as detailed in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-f6pr-83pg-ghh6\"\u003ehttps://github.com/advisories/GHSA-f6pr-83pg-ghh6\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eAs an immediate mitigation, disable STAC collection-based resources in the pygeoapi configuration as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-f6pr-83pg-ghh6\"\u003ehttps://github.com/advisories/GHSA-f6pr-83pg-ghh6\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;pygeoapi Path Traversal Attempt\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-pygeoapi-path-traversal/","summary":"A path traversal vulnerability exists in pygeoapi versions 0.23.0 to 0.23.2 within the STAC FileSystemProvider plugin, allowing unauthenticated access to directories when deployed without a URL-normalizing proxy.","title":"pygeoapi Path Traversal Vulnerability in STAC FileSystemProvider","url":"https://feed.craftedsignal.io/briefs/2024-01-03-pygeoapi-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Pygeoapi","version":"https://jsonfeed.org/version/1.1"}