Cyber Resilience

CVE-2022-31163

HighPublic PoC

Published: 22 July 2022

Published
22 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0383 88.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31163 is a high-severity Path Traversal (CWE-22) vulnerability in Tzinfo Project Tzinfo. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TZInfo is a Ruby library that provides time zone data and conversion functionality. It is affected by a relative path traversal vulnerability (CWE-22/CWE-23) in versions prior to 0.3.61, and in versions prior to 1.2.10 when the tzinfo-data gem is used as the data source. The flaw stems from insufficient validation in TZInfo::Timezone.get, which accepts time zone identifiers containing newline characters; on Ruby 1.9.3 and later this allows a crafted identifier to cause the library to issue a require call that loads and executes an arbitrary file present on the Ruby load path.

An attacker who can control the time zone identifier passed to TZInfo::Timezone.get can therefore trigger execution of attacker-supplied Ruby code inside the target process. The attack requires the ability to place a suitably named file (prefixed with tzinfo/definition) in a directory on the load path and succeeds over the network with no authentication when the application exposes such an identifier to untrusted input.

The official fixes, released in TZInfo 0.3.61 and 1.2.10, add strict validation of identifiers. The project advisory additionally supplies a regular-expression workaround (\A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z) that applications can apply before invoking get, and notes that even the patched 0.3.61 release can still load files whose names satisfy the identifier rules. The associated EPSS score has remained low, reaching a peak of only 0.0657.

EU & UK References

Vulnerability details

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source…

more

tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of `tzinfo/definition` within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to `TZInfo::Timezone.get` by ensuring it matches the regular expression `\A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tzinfo project
tzinfo
≤ 0.3.61 · 1.0.0 — 1.2.10
debian
debian linux
10.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References