CVE-2022-31163
Arbitrary File Load vulnerability in tzinfo (RubyGems)
What is CVE-2022-31163 About?
TZInfo versions 0.3.60 and earlier, and 1.0.0 to 1.2.9 with the Ruby data source, are vulnerable to arbitrary file loading due to improper validation of time zone identifiers. Attackers can inject new line characters and path traversal sequences into the identifier, causing `TZInfo::Timezone.get` to load and execute unintended Ruby files. This can lead to remote code execution. Exploitation requires user-controlled input to the time zone identifier function and relies on the Ruby `require` mechanism.
Affected Software
- tzinfo
- <0.3.61
- >=1.0.0, <1.2.10
Technical Details
The vulnerability lies in TZInfo::Timezone.get failing to properly validate time zone identifiers. Specifically, it does not prevent the inclusion of new line characters and path traversal sequences (e.g., /../). When a crafted time zone identifier, such as foo\n/../../../../tmp/payload, is passed to TZInfo::Timezone.get, the gem's internal logic, which uses require to load time zone definition files, interprets this modified path as a request to load an arbitrary file. For Ruby versions 1.9.3 and later, this require call will attempt to load and execute the specified Ruby file. Depending on the TZInfo version and context, this could either load files from the Ruby load path or, in versions 1.2.6-1.2.9, from arbitrary locations on the filesystem, bypassing directory restrictions and achieving remote code execution if a malicious file can be placed on the system.
What is the Impact of CVE-2022-31163?
Successful exploitation may allow attackers to achieve arbitrary file reading, arbitrary code execution, or compromise the integrity of the application.
What is the Exploitability of CVE-2022-31163?
Exploitation complexity is moderate to high, as it requires specific conditions for file placement and user-controlled input. Prerequisites include an application using a vulnerable TZInfo version and accepting untrusted user input directly or indirectly as a time zone identifier. No authentication is necessary if the input field is publicly accessible. This can be a remote vulnerability if the input is exposed via a web interface, for example. Special conditions include the placement of an attacker-controlled Ruby file (e.g., via a file upload vulnerability) in a location that can be reached via path traversal, or within the Ruby load path. The likelihood of exploitation is high if such conditions are met, potentially leading to remote code execution.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-31163?
Available Upgrade Options
- tzinfo
- <0.3.61 → Upgrade to 0.3.61
- tzinfo
- >=1.0.0, <1.2.10 → Upgrade to 1.2.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-31163
- https://lists.debian.org/debian-lts-announce/2022/08/msg00009.html
- https://github.com/tzinfo/tzinfo/releases/tag/v1.2.10
- https://osv.dev/vulnerability/GHSA-5cm2-9h8c-rvfx
- https://github.com/tzinfo/tzinfo/releases/tag/v0.3.61
- https://github.com/tzinfo/tzinfo/releases/tag/v0.3.61
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/tzinfo/CVE-2022-31163.yml
- https://github.com/tzinfo/tzinfo/releases/tag/v1.2.10
- https://github.com/tzinfo/tzinfo/commit/9eddbb5c0e682736f61d0dd803b6031a5db9eadf
- https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
What are Similar Vulnerabilities to CVE-2022-31163?
Similar Vulnerabilities: CVE-2018-1000073 , CVE-2017-0878 , CVE-2016-5697 , CVE-2015-3226 , CVE-2014-8794
