CVE-2022-44900
Published: 06 December 2022
Summary
CVE-2022-44900 is a critical-severity Path Traversal (CWE-22) vulnerability in Py7Zr Project Py7Zr. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A directory traversal vulnerability exists in the SevenZipFile.extractall() function of the py7zr Python library versions 0.20.0 and earlier. The flaw, tracked as CWE-22, permits extraction of a specially crafted 7z archive to write files to arbitrary locations on the filesystem. It carries a CVSS 3.1 base score of 9.1, reflecting network attack vector, low complexity, and no required authentication or user interaction.
An attacker can supply a malicious 7z file to any application or service that uses the affected py7zr library to extract archives from untrusted sources. Successful exploitation results in the ability to overwrite or create arbitrary files, which can lead to code execution, configuration changes, or other impacts on confidentiality and integrity.
Public references include a GitHub commit that addresses the issue in the py7zr repository along with proof-of-concept material on Packet Storm. The EPSS score reached a peak of 0.3328 and currently stands at 0.2501.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0208
Vulnerability details
A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.