Headline
GHSA-r9x7-2xmr-v8fw: mangadex-downloader vulnerable to unauthorized file reading
Impact
When using file:<location>
command and <location>
is web URL location (http, https). mangadex-downloader will try to open and read a file in local disk for each line of website content.
So far, the app only read the files and not execute it. But still, when someone reading your files without you knowing, it’s very scary.
Workarounds
Unfortunately, there is no workarounds to make it safe from this issue. But i suggest you double check the url before proceed to download or update to latest version ( >= 1.7.2)
Patches
Fixed in version 1.7.2
Reference
- https://github.com/mansuf/mangadex-downloader/blob/v1.7.1/mangadex_downloader/cli/validator.py
- Commit patch: https://github.com/mansuf/mangadex-downloader/commit/439cc2825198ebc12b3310c95c39a8c7710c9b42
mangadex-downloader vulnerable to unauthorized file reading
Moderate severity GitHub Reviewed Published Sep 16, 2022 in mansuf/mangadex-downloader • Updated Sep 16, 2022
Package
pip mangadex-downloader (pip)
Affected versions
>= 1.3.0, < 1.7.2
Patched versions
1.7.2
Description
Impact
When using file:<location> command and <location> is web URL location (http, https). mangadex-downloader will try to open and read a file in local disk for each line of website content.
So far, the app only read the files and not execute it. But still, when someone reading your files without you knowing, it’s very scary.
Workarounds
Unfortunately, there is no workarounds to make it safe from this issue. But i suggest you double check the url before proceed to download or update to latest version ( >= 1.7.2)
Patches
Fixed in version 1.7.2
Reference
- https://github.com/mansuf/mangadex-downloader/blob/v1.7.1/mangadex_downloader/cli/validator.py
- Commit patch: mansuf/mangadex-downloader@439cc28
References
- GHSA-r9x7-2xmr-v8fw
- https://nvd.nist.gov/vuln/detail/CVE-2022-36082
- mansuf/mangadex-downloader@439cc28
- https://github.com/pypa/advisory-database/tree/main/vulns/mangadex-downloader/PYSEC-2022-264.yaml
mansuf published the maintainer security advisory
Sep 5, 2022
Severity
Moderate
5.3
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses
CWE-20
CVE ID
CVE-2022-36082
GHSA ID
GHSA-r9x7-2xmr-v8fw
Source code
mansuf/mangadex-downloader
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
mangadex-downloader is a command-line tool to download manga from MangaDex. When using `file:<location>` command and `<location>` is a web URL location (http, https), mangadex-downloader between versions 1.3.0 and 1.7.2 will try to open and read a file in local disk for each line of website contents. Version 1.7.2 contains a patch for this issue.