GHSA-75jv-vfxf-3865

Source

https://github.com/advisories/GHSA-75jv-vfxf-3865

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-75jv-vfxf-3865/GHSA-75jv-vfxf-3865.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-75jv-vfxf-3865

Published

2025-07-25T14:15:48Z

Modified

2025-07-25T16:57:04.591456Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H CVSS Calculator

Summary

Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code

Details

Path-Traversal -> Arbitrary File Write in Assemblyline Service Client

1. Summary

The Assemblyline 4 service client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.

No validation / sanitisation is performed.

A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as
../../../etc/cron.d/evil
and force the client to write the downloaded bytes to an arbitrary location on disk.

2. Affected Versions

| Item | Value | |---|---| | Component | assemblyline-service-client | | Repository | CybercentreCanada/assemblyline-service-client | | Affected | All releases up to master branch. |

4. Technical Details

| Field | Content | |---|---| | Location | assemblyline_service_client/task_handler.py, inside download_file() | | Vulnerable Line | file_path = os.path.join(self.tasking_dir, sha256) | | Root Cause | The sha256 string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation. | | Exploit Flow | 1. Attacker (service server) returns HTTP 200 for GET /api/v1/file/../../../etc/cron.d/evil.<br>2. Client writes the response body to /etc/cron.d/evil.<br>3. Achieves arbitrary file write (code execution if file is executable). |

5. Impact

Integrity – Overwrite any file writable by the service UID (often root).
Availability – Corrupt critical files or exhaust disk space.
Code Execution – Drop cron jobs, systemd units, or overwrite binaries.

6. Mitigation / Fix

import re

_SHA256_RE = re.compile(r'^[0-9a-fA-F]{64}\Z')

def download_file(self, sha256: str, sid: str) -> Optional[str]:
    if not _SHA256_RE.fullmatch(sha256):
        self.log.error(f"[{sid}] Invalid SHA256: {sha256}")
        self.status = STATUSES.ERROR_FOUND
        return None
    # or your preferred way to check if a string is a shasum.

Database specific

{
    "github_reviewed": true,
    "severity": "CRITICAL",
    "github_reviewed_at": "2025-07-25T14:15:48Z",
    "cwe_ids": [
        "CWE-23"
    ],
    "nvd_published_at": null
}

References

Affected packages

PyPI / assemblyline-service-client

Package

Name: assemblyline-service-client; View open source insights on deps.dev
Purl: pkg:pypi/assemblyline-service-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.6.0.stable11

PyPI / assemblyline-service-client

Package

Name: assemblyline-service-client; View open source insights on deps.dev
Purl: pkg:pypi/assemblyline-service-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.6.1.dev0

Fixed

4.6.1.dev138

Affected versions

4.*

4.6.1.dev0

4.6.1.dev1

4.6.1.dev2

4.6.1.dev4

4.6.1.dev5

4.6.1.dev7

4.6.1.dev9

4.6.1.dev10

4.6.1.dev13

4.6.1.dev15

4.6.1.dev16

4.6.1.dev18

4.6.1.dev20

4.6.1.dev21

4.6.1.dev22

4.6.1.dev23

4.6.1.dev24

4.6.1.dev25

4.6.1.dev26

4.6.1.dev27

4.6.1.dev28

4.6.1.dev31

4.6.1.dev32

4.6.1.dev33

4.6.1.dev34

4.6.1.dev35

4.6.1.dev36

4.6.1.dev37

4.6.1.dev38

4.6.1.dev39

4.6.1.dev40

4.6.1.dev41

4.6.1.dev42

4.6.1.dev43

4.6.1.dev44

4.6.1.dev48

4.6.1.dev49

4.6.1.dev50

4.6.1.dev51

4.6.1.dev52

4.6.1.dev53

4.6.1.dev54

4.6.1.dev55

4.6.1.dev56

4.6.1.dev57

4.6.1.dev58

4.6.1.dev59

4.6.1.dev60

4.6.1.dev62

4.6.1.dev63

4.6.1.dev64

4.6.1.dev65

4.6.1.dev66

4.6.1.dev67

4.6.1.dev68

4.6.1.dev69

4.6.1.dev72

4.6.1.dev73

4.6.1.dev74

4.6.1.dev75

4.6.1.dev76

4.6.1.dev77

4.6.1.dev78

4.6.1.dev79

4.6.1.dev80

4.6.1.dev81

4.6.1.dev82

4.6.1.dev84

4.6.1.dev85

4.6.1.dev86

4.6.1.dev87

4.6.1.dev88

4.6.1.dev89

4.6.1.dev90

4.6.1.dev92

4.6.1.dev93

4.6.1.dev94

4.6.1.dev95

4.6.1.dev97

4.6.1.dev98

4.6.1.dev99

4.6.1.dev100

4.6.1.dev101

4.6.1.dev102

4.6.1.dev105

4.6.1.dev106

4.6.1.dev107

4.6.1.dev108

4.6.1.dev109

4.6.1.dev110

4.6.1.dev111

4.6.1.dev112

4.6.1.dev113

4.6.1.dev114

4.6.1.dev115

4.6.1.dev116

4.6.1.dev117

4.6.1.dev119

4.6.1.dev120

4.6.1.dev121

4.6.1.dev122

4.6.1.dev123

4.6.1.dev124

4.6.1.dev125

4.6.1.dev126

4.6.1.dev128

4.6.1.dev129

4.6.1.dev130

4.6.1.dev131

4.6.1.dev132

4.6.1.dev133

4.6.1.dev134

4.6.1.dev135

4.6.1.dev136

4.6.1.dev137