Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jcDY1LTVtOXItdmMyY84AA_rC

Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)

A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions).

In the download_private_file method:

def download_private_file
  cama_uploader.enable_private_mode!

  file = cama_uploader.fetch_file("private/#{params[:file]}")

  send_file file, disposition: 'inline'
end

The file parameter is passed to the fetch_file method of the CamaleonCmsLocalUploader class (when files are uploaded locally):

def fetch_file(file_name)
  raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)

  file_name
end

If the file exists it's passed back to the download_private_file method where the file is sent to the user via send_file.

Proof of concept
An authenticated user can download the /etc/passwd file by visiting an URL such as:

https:///admin/media/download_private_file?file=../../../../../../etc/passwd
Impact
This issue may lead to Information Disclosure.

Remediation
Normalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.

See also:

CodeQL: Uncontrolled data used in path expression
OWASP: Path Traversal

Permalink: https://github.com/advisories/GHSA-cp65-5m9r-vc2c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcDY1LTVtOXItdmMyY84AA_rC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 25 days ago
Updated: 4 days ago


CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-cp65-5m9r-vc2c, CVE-2024-46987
References: Repository: https://github.com/owen2345/camaleon-cms
Blast Radius: 8.3

Affected Packages

rubygems:camaleon_cms
Dependent packages: 7
Dependent repositories: 19
Downloads: 335,994 total
Affected Version Ranges: < 2.8.1
Fixed in: 2.8.1
All affected versions: 0.0.1, 0.0.2, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.1, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.8.0
All unaffected versions: 2.8.1, 2.8.2, 2.8.3