CVE-2022-36082 in mangadex-downloader
Summary
by MITRE • 09/08/2022
mangadex-downloader is a command-line tool to download manga from MangaDex. When using `file:<location>` command and `<location>` is a web URL location (http, https), mangadex-downloader between versions 1.3.0 and 1.7.2 will try to open and read a file in local disk for each line of website contents. Version 1.7.2 contains a patch for this issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/08/2022
The vulnerability identified as CVE-2022-36082 affects the mangadex-downloader command-line tool, which is designed to facilitate downloading manga content from the MangaDex platform. This tool operates by processing user-provided file paths through the `file:<location>` command syntax, where the `<location>` parameter can specify either local file paths or web URLs. The flaw manifests specifically when the `<location>` parameter contains a web URL using http or https protocols, creating a significant security risk that impacts the tool's operational integrity.
The technical flaw stems from improper input validation and handling within the mangadex-downloader utility. When processing URLs through the file command, the application fails to properly distinguish between local file paths and remote web addresses, causing it to attempt local file operations on each line of content retrieved from web sources. This behavior represents a classic case of insecure input handling that violates fundamental security principles. The vulnerability creates a path traversal condition where remote content is interpreted as local file references, potentially allowing attackers to access arbitrary files on the local filesystem through crafted URL inputs.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can enable unauthorized file access and potential data exfiltration from systems running vulnerable versions of the tool. Attackers could exploit this weakness to read sensitive local files, potentially including configuration data, user credentials, or other confidential information stored on the same system. The vulnerability affects versions 1.3.0 through 1.7.2, representing a substantial window of affected releases that would have been widely distributed and potentially used by manga downloading communities. This issue directly aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and represents a path traversal vulnerability that can be exploited through command-line interface manipulation.
Security practitioners should note that this vulnerability demonstrates the importance of proper input validation and sanitization in command-line applications that process user-provided paths. The fix implemented in version 1.7.2 addresses the core issue by properly differentiating between local file operations and remote URL handling, ensuring that web content is processed through appropriate network protocols rather than attempting local file system access. Organizations using this tool should immediately update to version 1.7.2 or later to remediate the vulnerability. The ATT&CK framework categorizes this type of vulnerability under T1059.001 for command and scripting interpreter, as it involves command-line interface manipulation, and potentially T1566 for spearphishing with a malicious file, if attackers craft malicious URLs to exploit this weakness. This vulnerability serves as a reminder of the critical need for secure coding practices in CLI tools that handle user input, particularly when dealing with mixed local and remote resource access patterns.