CVE-2022-29180 in charm
Summary
by MITRE • 05/07/2022
A vulnerability in which attackers could forge HTTP requests to manipulate the `charm` data directory to access or delete anything on the server. This has been patched and is available in release [v0.12.1](https://github.com/charmbracelet/charm/releases/tag/v0.12.1). We recommend that all users running self-hosted `charm` instances update immediately. This vulnerability was found in-house and we haven't been notified of any potential exploiters. ### Additional notes * Encrypted user data uploaded to the Charm server is safe as Charm servers cannot decrypt user data. This includes filenames, paths, and all key-value data. * Users running the official Charm [Docker images](https://github.com/charmbracelet/charm/blob/main/docker.md) are at minimal risk because the exploit is limited to the containerized filesystem.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2022
The vulnerability identified as CVE-2022-29180 represents a critical path traversal and privilege escalation flaw within the charm server application that enables remote attackers to manipulate the `charm` data directory through forged HTTP requests. This vulnerability stems from insufficient input validation and improper access controls within the server's file handling mechanisms, allowing malicious actors to bypass normal security boundaries and gain unauthorized access to server resources. The flaw specifically affects self-hosted instances of the charm application where the data directory can be manipulated through carefully crafted HTTP requests that exploit the application's trust in user-supplied data paths.
The technical implementation of this vulnerability leverages the application's handling of HTTP request parameters that control file system operations within the charm data directory. Attackers can forge requests that manipulate path resolution logic to traverse directory structures and access or delete files beyond the intended scope of the application's data directory. This represents a classic path traversal vulnerability that aligns with CWE-22 Path Traversal and CWE-73 Improper Neutralization of Special Elements in Output Used by a Downstream Component, where user-controllable input is directly used in file system operations without proper sanitization or validation. The vulnerability's exploitation requires minimal privileges and can be executed through standard HTTP request manipulation techniques, making it particularly dangerous for self-hosted deployments.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential data destruction and system compromise within affected environments. Since the vulnerability allows for deletion operations, attackers could potentially remove critical application data or system files, leading to complete service disruption. The risk is particularly elevated for self-hosted installations where administrators may not have robust network segmentation or monitoring in place to detect such unauthorized activities. According to ATT&CK framework's T1078 Valid Accounts and T1566 Phishing categories, this vulnerability could be exploited through social engineering to gain initial access before leveraging the path traversal to escalate privileges and move laterally within the system. The patched version v0.12.1 addresses these issues through improved input validation, enhanced access controls, and stricter path resolution mechanisms that prevent directory traversal attacks.
Organizations running self-hosted charm instances must prioritize immediate remediation to protect against potential exploitation of this vulnerability. The security patch implemented in version 0.12.1 includes comprehensive input sanitization measures that validate all user-supplied paths against a whitelist of allowed directories and implement proper path normalization techniques to prevent traversal attacks. While the official Docker images present minimal risk due to containerization restrictions that limit the exploit to the containerized filesystem, organizations should still ensure all deployments are updated to the patched version. The vulnerability's discovery through internal auditing demonstrates the importance of continuous security testing and monitoring, as this flaw could have been exploited by threat actors with knowledge of the application's architecture and HTTP request patterns. The fact that encrypted user data remains protected by the application's design architecture provides some mitigation, but the potential for service disruption and unauthorized access to system resources necessitates immediate patch deployment across all affected installations.