CVE-2022-0679
Published: 28 March 2022
Summary
CVE-2022-0679 is a critical-severity Path Traversal (CWE-22) vulnerability in Narnoo Distributor Project Narnoo Distributor. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Narnoo Distributor WordPress plugin through version 2.5.1 is affected by a path traversal vulnerability (CWE-22) in the narnoo_distributor_lib_request AJAX action. The plugin does not validate or sanitize the lib_path parameter before passing it to a require() call, allowing the contents of arbitrary files to be returned in the JSON response.
Both unauthenticated and authenticated attackers can supply a crafted lib_path value to disclose sensitive files on the server. Depending on the underlying PHP configuration and system setup, the flaw can also be leveraged for remote code execution, consistent with its CVSS 3.1 score of 9.8.
The EPSS score for this CVE stands at 0.8448 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15764
Vulnerability details
The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the…
more
disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.