Описание
Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions).
In the download_private_file method:
The file parameter is passed to the fetch_file method of the CamaleonCmsLocalUploader class (when files are uploaded locally):
If the file exists it's passed back to the download_private_file method where the file is sent to the user via send_file.
Proof of concept An authenticated user can download the /etc/passwd file by visiting an URL such as:
https:///admin/media/download_private_file?file=../../../../../../etc/passwd Impact This issue may lead to Information Disclosure.
Remediation Normalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.
See also:
CodeQL: Uncontrolled data used in path expression OWASP: Path Traversal
Ссылки
- https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c
- https://nvd.nist.gov/vuln/detail/CVE-2024-46987
- https://github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e
- https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46987.yml
- https://owasp.org/www-community/attacks/Path_Traversal
- https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS
- https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released
Пакеты
camaleon_cms
< 2.8.1
2.8.1
EPSS
7.1 High
CVSS4
6.5 Medium
CVSS3
CVE ID
Дефекты
Связанные уязвимости
Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions). This issue may lead to Information Disclosure. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
EPSS
7.1 High
CVSS4
6.5 Medium
CVSS3