Cyber Resilience

CVE-2022-31793

HighPublic PoC

Published: 04 August 2022

Published
04 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9382 99.9th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31793 is a high-severity Path Traversal (CWE-22) vulnerability in Inglorion Muhttpd. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-31793 is a path traversal vulnerability in the do_request function within request.c of muhttpd versions prior to 1.1.7. The flaw stems from the server skipping the first character of a requested path when serving files, enabling unauthorized access. It affects Arris NVG443, NVG599, NVG589, and NVG510 devices along with Arris-derived BGW210 and BGW320 models, carrying a CVSS 3.1 score of 7.5 under CWE-22.

Remote unauthenticated attackers can exploit the issue over the network by crafting a URL that prepends a single character to a target filesystem path, resulting in disclosure of arbitrary files with no user interaction required.

Public references, including CERT VU#495801 and vendor analyses, point to upgrading muhttpd to version 1.1.7 or later as the primary remediation, with additional guidance available for affected Arris hardware.

The associated EPSS score stands at 0.9382, indicating substantial exploitation likelihood without evidence of a post-disclosure climb from a low baseline.

EU & UK References

Vulnerability details

do_request in request.c in muhttpd before 1.1.7 allows remote attackers to read arbitrary files by constructing a URL with a single character before a desired path on the filesystem. This occurs because the code skips over the first character when…

more

serving files. Arris NVG443, NVG599, NVG589, and NVG510 devices and Arris-derived BGW210 and BGW320 devices are affected.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

inglorion
muhttpd
≤ 1.1.7
arris
nvg443 firmware
all versions
arris
nvg599 firmware
all versions
arris
nvg589 firmware
all versions
arris
nvg510 firmware
all versions
arris
bgw210 firmware
all versions
arris
bgw320 firmware
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References