GHSA-r9x7-2xmr-v8fw: mangadex-downloader vulnerable to unauthorized file reading

mangadex-downloader vulnerable to unauthorized file reading

Moderate severity GitHub Reviewed Published Sep 16, 2022 in mansuf/mangadex-downloader • Updated Sep 16, 2022

Package

pip mangadex-downloader (pip)

Affected versions

>= 1.3.0, < 1.7.2

Patched versions

1.7.2

Description

Impact

When using file:<location> command and <location> is web URL location (http, https). mangadex-downloader will try to open and read a file in local disk for each line of website content.

So far, the app only read the files and not execute it. But still, when someone reading your files without you knowing, it’s very scary.

Workarounds

Unfortunately, there is no workarounds to make it safe from this issue. But i suggest you double check the url before proceed to download or update to latest version ( >= 1.7.2)

Patches

Fixed in version 1.7.2

Reference

• https://github.com/mansuf/mangadex-downloader/blob/v1.7.1/mangadex_downloader/cli/validator.py
• Commit patch: mansuf/mangadex-downloader@439cc28

References

• GHSA-r9x7-2xmr-v8fw
• https://nvd.nist.gov/vuln/detail/CVE-2022-36082
• mansuf/mangadex-downloader@439cc28
• https://github.com/pypa/advisory-database/tree/main/vulns/mangadex-downloader/PYSEC-2022-264.yaml

mansuf published the maintainer security advisory

Sep 5, 2022

Severity

Moderate

5.3

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CWE-20

CVE ID

CVE-2022-36082

GHSA ID

GHSA-r9x7-2xmr-v8fw

Source code

mansuf/mangadex-downloader

Checking history

See something to contribute? Suggest improvements for this vulnerability.