Skip to content

Upload path bug #2766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
berggren opened this issue May 26, 2023 · 1 comment
Closed

Upload path bug #2766

berggren opened this issue May 26, 2023 · 1 comment
Assignees
@berggren

Comments

@berggren
Copy link
Contributor

A bug made it possible for an authenticated user to save user-controlled content to any file on the server. This could result in an (authenticated) RCE. This is not possible via the UI but only via direct API calls.

Note: The user have to be authenticated in order to take advantage of this vulnerability.

This bug was introduced with how the path for the upload functionality was generated from user supplied data.

How to check your deployment:

  • Check the SQL database for any index with a name that is not a UUID4 hex string.

This is mitigated from release 20230526. We fixed the path construction bug and added validation of the index name. See PR for details: #2763
@berggren berggren self-assigned this May 26, 2023
@berggren
Copy link
Contributor Author

This has been fixed in #2763

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@berggren berggren

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@berggren