Cyber Resilience

CVE-2023-43662

HighPublic PoC

Published: 28 September 2023

Published
28 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.9260 99.8th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-43662 is a high-severity Path Traversal (CWE-22) vulnerability in Shokoanime Shokoserver. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ShokoServer, an open-source media server specialized in organizing anime collections, contains a path traversal vulnerability in the /api/Image/WithPath endpoint. The endpoint accepts an unsanitized serverImagePath parameter that is passed directly to System.IO.File.OpenRead, enabling arbitrary file reads on the underlying host. The issue is worsened when the Windows installer deploys the service under an administrative account, and the flaw is tracked as CWE-22 with a CVSS 3.1 score of 8.6.

Unauthenticated remote attackers can invoke the endpoint to retrieve any file readable by the ShokoServer process, potentially exposing configuration data, credentials, or other sensitive information stored on the server. No authentication or user interaction is required, and the attack can be performed over the network.

The GitHub Security Lab advisory (GHSA-mwcv-ghjq-8f2g) and associated commit 6c57ba0f0 state that the vulnerable endpoint has been removed entirely; until a patched release is available, administrators are advised to restrict network access to the endpoint or apply the commit manually. The EPSS score has reached 0.9260, indicating substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

ShokoServer is a media server which specializes in organizing anime. In affected versions the `/api/Image/WithPath` endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter `serverImagePath`, which is not sanitized in any…

more

way before being passed to `System.IO.File.OpenRead`, which results in an arbitrary file read. This issue may lead to an arbitrary file read which is exacerbated in the windows installer which installs the ShokoServer as administrator. Any unauthenticated attacker may be able to access sensitive information and read files stored on the server. The `/api/Image/WithPath` endpoint has been removed in commit `6c57ba0f0` which will be included in subsequent releases. Users should limit access to the `/api/Image/WithPath` endpoint or manually patch their installations until a patched release is made. This issue was discovered by the GitHub Security lab and is also indexed as GHSL-2023-191.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

shokoanime
shokoserver
≤ 4.2.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References