Skip to content

Insecure file access in ext.php allows exposure of user configuration

Moderate
Alkarex published GHSA-hvrj-5fwj-p7v6 Dec 9, 2022

Package

No package listed

Affected versions

>= 1.18.0, <= 1.20.1

Patched versions

1.20.2

Description

Impact

User configuration files can be accessed remotely, if an attacker can guess usernames. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hashed password (brypt with cost 9, salted) of the GReader API, and a hashed password (MD5 salted) of the Fever API.
If using SQLite as a database, the database of a the given user can also be accessed.

Patches

Administrators should update to version 1.20.2 or edge.
Then, users should change their FreshRSS and potentially API passwords.

Workarounds

Besides updating (recommended), admins of older systems can apply the patch manually, or delete the file ./FreshRSS/p/ext.php (which will break some extensions).

References

#4928

Credits

Reported by @c3l3si4n

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CVE ID

CVE-2022-23497

Weaknesses

No CWEs

Credits