GHSA-vvmv-wrvp-9gjr

Опубликовано: 15 июл. 2024

Источник: github

Github: Прошло ревью

CVSS4: 6.9

CVSS3: 5.3

Описание

@jmondi/url-to-png contains a Path Traversal vulnerability

Summary

When trying to add a BLOCK_LIST feature when the maintainer noticed they didn't sanitize the ImageId in the code, which leads to path traversal vulnerability. Now, this is different from a traditional path traversal issue, because as of NOW you can store the image in any place arbitrarily, and given enough time they might be able to come up with a working exploit BUT for the time being they am reporting this.

Details

@jmondi/url-to-png does not sanitizing the ImageID as in not removing special chars from the params (extract_query_params.ts#l75)

const imageId = dateString + "." + slugify(validData.url) +configToString(params);

This when fed to other parts of the code such as (filesystem.ts#L34)

return path.join(this.storagePath, imageId) + ".png";

Would result in path traversal issue.

PoC

# Configuration for filesystem storage provider (optional) STORAGE_PROVIDER=filesystem IMAGE_STORAGE_PATH=poc

Set this in your .env file and use this as your payload.

http://localhost:3089/?url=http://example.com&width=400&isDarkMode=../../../../../../../../../../../../tmp/hack

This will create a .png file in the /tmp section of the system.

Loom POC: https://www.loom.com/share/bd7b306cdae7445c97e68f0626e743a6

This is valid for pretty much all the arguments (except for numeric values)

A simple fix would be to use the slugify for the params as well like so (#L75)

- const imageId = dateString + "." + slugify(validData.url) + configToString(params); + const imageId = dateString + "." + slugify(validData.url) + slugify(configToString(params));

Impact

This would be path traversal vulnerability which allows arbitrary write as of now.

Ссылки

Пакеты

Наименование

@jmondi/url-to-png

npm

Затронутые версииВерсия исправления

< 2.1.2

2.1.2

EPSS

Процентиль: 38%

0.00167

Низкий

6.9 Medium

CVSS4

5.3 Medium

CVSS3

CVE ID

CVE-2024-39918

Дефекты

CWE-22

Связанные уязвимости

CVE-2024-39918

CVSS3: 4.3

nvd

больше 1 года назад

@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. Input of the `ImageId` in the code is not sanitized and may lead to path traversal. This allows an attacker to store an image in an arbitrary location that the server has permission to access. This issue has been addressed in version 2.1.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

EPSS

Процентиль: 38%

0.00167

Низкий

6.9 Medium

CVSS4

5.3 Medium

CVSS3

CVE ID

CVE-2024-39918

Дефекты

CWE-22