Vulnerability Details : CVE-2022-36065
GrowthBook is an open-source platform for feature flagging and A/B testing. With some self-hosted configurations in versions prior to 2022-08-29, attackers can register new accounts and upload files to arbitrary directories within the container. If the attacker uploads a Python script to the right location, they can execute arbitrary code within the container. To be affected, ALL of the following must be true: Self-hosted deployment (GrowthBook Cloud is unaffected); using local file uploads (as opposed to S3 or Google Cloud Storage); NODE_ENV set to a non-production value and JWT_SECRET set to an easily guessable string like `dev`. This issue is patched in commit 1a5edff8786d141161bf880c2fd9ccbe2850a264 (2022-08-29). As a workaround, set `JWT_SECRET` environment variable to a long random string. This will stop arbitrary file uploads, but the only way to stop attackers from registering accounts is by updating to the latest build.
Vulnerability category: Directory traversalExecute code
Products affected by CVE-2022-36065
- cpe:2.3:a:growthbook:growthbook:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-36065
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-36065
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2022-36065
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
-
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.Assigned by: security-advisories@github.com (Secondary)
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-36065
-
https://github.com/growthbook/growthbook/security/advisories/GHSA-j24q-55xh-wm4r
Account creation and file upload vulnerability in self-hosted GrowthBook · Advisory · growthbook/growthbook · GitHubIssue Tracking;Mitigation;Patch;Third Party Advisory
-
https://github.com/growthbook/growthbook/pull/487
Secure file uploads when NODE_ENV=dev by jdorn · Pull Request #487 · growthbook/growthbook · GitHubIssue Tracking;Mitigation;Patch;Third Party Advisory
-
https://github.com/growthbook/growthbook/commit/1a5edff8786d141161bf880c2fd9ccbe2850a264
Secure file uploads when NODE_ENV=dev (#487) · growthbook/growthbook@1a5edff · GitHubPatch;Third Party Advisory
Jump to