CVE-2023-32309
Arbitrary File Read vulnerability in pymdown-extensions (PyPI)
What is CVE-2023-32309 About?
This arbitrary file read vulnerability allows an attacker to expose the content of any readable file on the host system. It exploits a directory traversal flaw in the `pymdownx.snippets` extension when processing specific include file syntax. The vulnerability is relatively easy to exploit with a crafted payload, potentially exposing sensitive information.
Affected Software
Technical Details
The vulnerability is an arbitrary file read impacting the pymdownx.snippets extension due to a directory traversal flaw within its get_snippet_path method (lines 155-174 in snippets.py). When a user supplies an include file syntax like --8<--"/etc/passwd" or --8<--"../../../../etc/passwd", the extension's markdown.markdown function processes it. The os.path.join(base, path) operation within get_snippet_path fails to properly sanitize or validate the path argument, especially when base is set to a directory like 'docs' and path is an absolute path or contains '..' sequences attempting to escape the intended base directory. For example, filename = os.path.join("docs", "/etc/passwd") would result in filename being /etc/passwd. This incorrect path construction allows an attacker to specify paths outside the intended base_path and include the content of arbitrary readable files into the generated documentation. The proof-of-concept demonstrates this by including /etc/passwd directly.
What is the Impact of CVE-2023-32309?
Successful exploitation may allow attackers to read arbitrary files on the host system, leading to information disclosure, credential leaks, or further system compromise.
What is the Exploitability of CVE-2023-32309?
Exploitation is of low complexity and can be achieved by injecting a specially crafted markdown payload. This vulnerability typically requires the attacker to have the ability to submit or influence markdown content that gets processed by the pymdownx.snippets extension. No specific authentication or high privilege is detailed as required, but the attacker needs to be in a position to supply the vulnerable input. This is a logical flaw that can be exploited remotely if the markdown processing is part of a web application, or locally if the attacker has access to create markdown files for processing. Risk factors are increased if the application processes user-supplied, untrusted markdown content with this extension enabled, as it can directly lead to sensitive file exposure.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| itlabbet | Link | Example project illustrating CVE-2023-32309 vulnerability |
What are the Available Fixes for CVE-2023-32309?
Available Upgrade Options
- pymdown-extensions
- >1.5, <10.0 → Upgrade to 10.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-jh85-wwv9-24hv
- https://github.com/facelessuser/pymdown-extensions/releases/tag/10.0
- https://github.com/facelessuser/pymdown-extensions
- https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-jh85-wwv9-24hv
- https://github.com/facelessuser/pymdown-extensions/commit/b7bb4878d6017c03c8dc97c42d8d3bb6ee81db9d
- https://nvd.nist.gov/vuln/detail/CVE-2023-32309
- https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-jh85-wwv9-24hv
- https://github.com/facelessuser/pymdown-extensions/commit/b7bb4878d6017c03c8dc97c42d8d3bb6ee81db9d
What are Similar Vulnerabilities to CVE-2023-32309?
Similar Vulnerabilities: CVE-2022-24759 , CVE-2021-42771 , CVE-2020-28186 , CVE-2019-18301 , CVE-2018-16341
