CVE-2022-44900: path traversal vulnerability in py7zr  
Directory traversal vulnerability in SevenZipFile.extractall() function of  
the python library py7zr version 0.20.0 and earlier allow attackers to read  
arbitrary files on the local machine via malicious 7z file extraction.  
CVE-2022-44900 <>  
vulnerability allows attackers to achieve arbitrary file read and arbitrary  
file write. To do so, an attacker needs to create a malicious 7z archive  
containing a symlink to achieve an arbitrary file read and a file with a  
path traversal payload as name to achieve an arbitrary file write.  
The script used for tests is the following:  
import py7zr  
import click  
def main_procedure(filename):  
with py7zr.SevenZipFile(filename, 'r') as archive:  
The vulnerabile function targeted is py7zr.SevenZipFile.extractall().  
A lab setup has been built to test for vulnerabilities. Directories  
structured as follow were used:  
โ”œโ”€โ”€ start_point  
โ”‚ โ”œโ”€โ”€ archive.7z  
โ”‚ โ””โ”€โ”€  
โ””โ”€โ”€ target  
โ”œโ”€โ”€ write  
โ””โ”€โ”€ read  
The start_point directory contains the script used for tests and the  
malicious archive containing the path traversal payload in the form of the  
filename of an archived file.  
To achieve an arbitrary file read, one of the files in the archives needs  
to have ../target/write set as name. The content of the file will be  
written into target/write.  
In a similar way, to achieve an arbitrary file read, a symlink pointing to  
../target/read needs to be present in the archive. When extracted the  
symlink will consist of the content of target/read.  
Disclosure timeline  
29/10/2022 - Maintainer was notified privately of the vulnerabilities  
30/10/2022 - Response from maintainer  
01/11/2022 - Release of patched version 0.20.1  
01/11/2022 - CVE ID request  
06/12/2022 - CVE ID obtained  
06/12/2022 - Public disclosure