GHSA-82J3-HF72-7X93

Vulnerability from github – Published: 2024-11-04 23:23 – Updated: 2024-11-04 23:23
VLAI?
Summary
Reposilite vulnerable to path traversal while serving javadoc expanded files (arbitrary file read) (`GHSL-2024-074`)
Details

Summary

Reposilite v3.5.10 is affected by an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files.

Details

The problem lies in the way how the expanded javadoc files are served. The GET /javadoc/{repository}/<gav>/raw/<resource> route uses the <resource> path parameter to find the file in the javadocUnpackPath directory and returns it's content to the user.

JavadocFacade.kt#L77:

fun findRawJavadocResource(request: JavadocRawRequest): Result<JavadocRawResponse, ErrorResponse> =
   with (request) {
       mavenFacade.canAccessResource(accessToken, repository, gav)
           .flatMap { javadocContainerService.loadContainer(accessToken, repository, gav) }
           .filter({ Files.exists(it.javadocUnpackPath.resolve(resource.toString())) }, { notFound("Resource $resource not found") })
           .map {
               JavadocRawResponse(
                   contentType = supportedExtensions[resource.getExtension()] ?: ContentType.APPLICATION_OCTET_STREAM,
                   content = Files.newInputStream(it.javadocUnpackPath.resolve(resource.toString()))
               )
           }
   }

In this case, the <resource> path parameter can contain path traversal characters such as /../../. Since the path is concatenated with the main directory, it opens the possibility to read files outside the javadocUnpackPath directory.

Impact

This issue may lead to Arbitrary File Read on the server. A potential attacker can read some sensitive file, such as reposilite.db, that contains the sqlite database used by Reposilite. This database contains the sensitive information used by Reposilite, including passwords and hashes of issued tokens. Also, the configuration.cdn file can be read, which contains other sensitive properties.

Steps to reproduce

  1. Start the Reposilite instance on http://localhost:8080/
  2. Find at least one javadoc file in the hosted repositories. For example, the default test workspace contains the /releases/javadoc/1.0.0/javadoc-1.0.0-javadoc.jar archive that is suitable for our attack.
  3. Send a GET request to http://127.0.0.1:8080/javadoc/releases/javadoc/1.0.0/raw/%2e%2e%5c%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2freposilite.db When this request is processed on the server, Reposilite tries to unpack the /repositories/releases/javadoc/1.0.0/javadoc-1.0.0-javadoc.jar file into the /javadocs/releases/javadoc/1.0.0/.cache/unpack folder. Then, it tries to read the ../../../../../../reposilite.db file from this folder, which triggers the path traversal attack.

image

Remediation

Normalize (remove all occurrences of /../) the <resource> path parameter before using it when reading the file. For example:

content = Files.newInputStream(it.javadocUnpackPath.resolve(resource.toPath()))

Changing resource.toString() to resource.toPath() is enough here as the com.reposilite.storage.api.Location#toPath method normalizes the string internally.

Severity ?
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
8.8 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.reposilite:reposilite-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.5.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-04T23:23:08Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nReposilite v3.5.10 is affected by an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files.\n\n### Details\nThe problem lies in the way how the expanded javadoc files are served. The `GET /javadoc/{repository}/\u003cgav\u003e/raw/\u003cresource\u003e` route uses the `\u003cresource\u003e` path parameter to find the file in the `javadocUnpackPath` directory and returns it\u0027s content to the user.\n\n[JavadocFacade.kt#L77](https://github.com/dzikoysk/reposilite/blob/68b73f19dc9811ccf10936430cf17f7b0e622bd6/reposilite-backend/src/main/kotlin/com/reposilite/javadocs/JavadocFacade.kt#L77):\n\n```kotlin\nfun findRawJavadocResource(request: JavadocRawRequest): Result\u003cJavadocRawResponse, ErrorResponse\u003e =\n   with (request) {\n       mavenFacade.canAccessResource(accessToken, repository, gav)\n           .flatMap { javadocContainerService.loadContainer(accessToken, repository, gav) }\n           .filter({ Files.exists(it.javadocUnpackPath.resolve(resource.toString())) }, { notFound(\"Resource $resource not found\") })\n           .map {\n               JavadocRawResponse(\n                   contentType = supportedExtensions[resource.getExtension()] ?: ContentType.APPLICATION_OCTET_STREAM,\n                   content = Files.newInputStream(it.javadocUnpackPath.resolve(resource.toString()))\n               )\n           }\n   }\n```\n\nIn this case, the `\u003cresource\u003e` path parameter can contain path traversal characters such as `/../../`. Since the path is concatenated with the main directory, it opens the possibility to read files outside the `javadocUnpackPath` directory.\n\n#### Impact\n\nThis issue may lead to Arbitrary File Read on the server. A potential attacker can read some sensitive file, such as `reposilite.db`, that contains the sqlite database used by Reposilite. This database contains the sensitive information used by Reposilite, including passwords and hashes of issued tokens. Also, the `configuration.cdn` file can be read, which contains other sensitive properties.\n\n### Steps to reproduce\n\n1. Start the Reposilite instance on http://localhost:8080/\n2. Find at least one javadoc file in the hosted repositories. For example, the default test workspace contains the `/releases/javadoc/1.0.0/javadoc-1.0.0-javadoc.jar` archive that is suitable for our attack.\n3. Send a GET request to http://127.0.0.1:8080/javadoc/releases/javadoc/1.0.0/raw/%2e%2e%5c%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2freposilite.db\nWhen this request is processed on the server, Reposilite tries to unpack the `/repositories/releases/javadoc/1.0.0/javadoc-1.0.0-javadoc.jar` file into the `/javadocs/releases/javadoc/1.0.0/.cache/unpack` folder. Then, it tries to read the `../../../../../../reposilite.db` file from this folder, which triggers the path traversal attack.\n\n![image](https://github.com/dzikoysk/reposilite/assets/44605151/2f2638e2-2b6a-498d-9ca3-bacc84041d8a)\n\n### Remediation\n\nNormalize (remove all occurrences of `/../`) the `\u003cresource\u003e` path parameter before using it when reading the file. For example:\n\n```kotlin\ncontent = Files.newInputStream(it.javadocUnpackPath.resolve(resource.toPath()))\n```\n\nChanging `resource.toString()` to `resource.toPath()` is enough here as the `com.reposilite.storage.api.Location#toPath` method normalizes the string internally.\n",
  "id": "GHSA-82j3-hf72-7x93",
  "modified": "2024-11-04T23:23:08Z",
  "published": "2024-11-04T23:23:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dzikoysk/reposilite/security/advisories/GHSA-82j3-hf72-7x93"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36117"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dzikoysk/reposilite/commit/e172ae4b539c822d0d6e04cf090713c7202a79d6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dzikoysk/reposilite"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dzikoysk/reposilite/releases/tag/3.5.12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Reposilite vulnerable to path traversal while serving javadoc expanded files (arbitrary file read) (`GHSL-2024-074`)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.