mangadex-downloader vulnerable to unauthorized file reading
Moderate severity
GitHub Reviewed
Published
Sep 5, 2022
in
mansuf/mangadex-downloader
•
Updated Sep 30, 2024
Description
Published by the National Vulnerability Database
Sep 7, 2022
Published to the GitHub Advisory Database
Sep 16, 2022
Reviewed
Sep 16, 2022
Last updated
Sep 30, 2024
Impact
When using
file:<location>
command and<location>
is web URL location (http, https). mangadex-downloader will try to open and read a file in local disk if the content from online file is exist-as-a-file in victim computerSo far, the app only read the files and not execute it. But still, when someone reading your files without you knowing, it's very scary.
Proof of Concept (PoC)
https://www.mansuf.link/unauthorized-file-read-in-mangadex-downloader-cve-2022-36082/
Workarounds
Unfortunately, there is no workarounds to make it safe from this issue. But i suggest you double check the url before proceed to download or update to latest version ( >= 1.7.2)
Patches
Fixed in version 1.7.2.
Commit patch: mansuf/mangadex-downloader@439cc28
References