Vulnerability Details : CVE-2022-31041
Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users (e.g. only PDF / Excel / ...). The input validation of uploaded files is insufficient in versions prior to 1.0.9 and 1.1.1. Users could alter or strip file extensions to bypass this validation. This results in files being uploaded to the server that are of a different file type than indicated by the file name extension. These files may be downloaded (manually or automatically) by staff and/or other applications for further processing. Malicious files can therefore find their way into internal/trusted networks. Versions 1.0.9 and 1.1.1 contain patches for this issue. As a workaround, an API gateway or intrusion detection solution in front of open-forms may be able to scan for and block malicious content before it reaches the Open Forms application.
Vulnerability category: Input validation
Products affected by CVE-2022-31041
- cpe:2.3:a:maykinmedia:open_forms:*:*:*:*:*:*:*:*
- cpe:2.3:a:maykinmedia:open_forms:1.1.0:-:*:*:*:*:*:*
- cpe:2.3:a:maykinmedia:open_forms:1.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:maykinmedia:open_forms:1.1.0:rc0:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31041
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 17 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31041
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST | |
7.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L |
2.8
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2022-31041
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Primary)
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-31041
-
https://github.com/open-formulieren/open-forms/security/advisories/GHSA-h85r-xv4w-cg8g
Insufficient content-type validation for uploaded files · Advisory · open-formulieren/open-forms · GitHubThird Party Advisory
-
https://github.com/open-formulieren/open-forms/commit/0978a29e821a7228c5d46c0527c3e925eb91b071
Merge pull request from GHSA-h85r-xv4w-cg8g · open-formulieren/open-forms@0978a29 · GitHubPatch;Third Party Advisory
Jump to