CVE-2022-39367

28.10.2022, 16:15

QTIWorks is a software suite for standards-based assessment delivery. Prior to version 1.0-beta15, the QTIWorks Engine allows users to upload QTI content packages as ZIP files. The ZIP handling code does not sufficiently check the paths of files contained within ZIP files, so can insert files into other locations in the filesystem if they are writable by the process running the QTIWorks Engine. In extreme cases, this could allow anonymous users to change files in arbitrary locations in the filesystem. In normal QTIWorks Engine deployments, the impact is somewhat reduced because the default QTIWorks configuration does not enable the public demo functionality, so ZIP files can only be uploaded by users with "instructor" privileges. This vulnerability is fixed in version 1.0-beta15. There are no database configuration changes required when upgrading to this version. No known workarounds for this issue exist.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.6 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
GitHub_M	CNA	8.6 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 26%

Vendor	Product	Version
qtiworks_project	qtiworks	𝑥 < 1.0
qtiworks_project	qtiworks	1.0
qtiworks_project	qtiworks	1.0:beta1
qtiworks_project	qtiworks	1.0:beta10
qtiworks_project	qtiworks	1.0:beta11
qtiworks_project	qtiworks	1.0:beta12
qtiworks_project	qtiworks	1.0:beta13
qtiworks_project	qtiworks	1.0:beta14
qtiworks_project	qtiworks	1.0:beta2
qtiworks_project	qtiworks	1.0:beta3
qtiworks_project	qtiworks	1.0:beta4
qtiworks_project	qtiworks	1.0:beta5
qtiworks_project	qtiworks	1.0:beta6
qtiworks_project	qtiworks	1.0:beta7
qtiworks_project	qtiworks	1.0:beta8
qtiworks_project	qtiworks	1.0:beta9

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/davemckain/qtiworks/commit/1a46d6d842877ba2b824d5c269845827e2e0ccac

https://github.com/davemckain/qtiworks/pull/81

https://github.com/davemckain/qtiworks/security/advisories/GHSA-xrjg-59rc-4j42

https://github.com/davemckain/qtiworks/commit/1a46d6d842877ba2b824d5c269845827e2e0ccac

https://github.com/davemckain/qtiworks/pull/81

https://github.com/davemckain/qtiworks/security/advisories/GHSA-xrjg-59rc-4j42