Impact
Logged-in users can access and modify the contents of any file on the system.
The affected versions:
v3.0.0 - v3.6.4
Details
The user 'foo' click 'Job-Template' menu and create a playbook named 'test'. Get the playbook id from the detail page, like 'e0adabef-c38f-492d-bd92-832bacc3df5f'.
An attacker can exploit the directory traversal flaw using the provided URL to access and retrieve the contents of the file.
https://jumpserver-ip/api/v1/ops/playbook/e0adabef-c38f-492d-bd92-832bacc3df5f/file/?key=../../../../../../../etc/passwd
And It has a similar method to modify the file content.
Patches
Update to safe versions:
v3 version: >= v3.6.5
Workarounds
It is recommended to upgrade the safe versions.
After upgrade, visit the api like https://jumpserver-ip/api/v1/ops/playbook/e0adabef-c38f-492d-bd92-832bacc3df5f/file/?key=../../../../../../../etc/passwd
, the expected response content below:
{ msg: "Invalid file path" }
References
Thanks for lawliet & zhiniang peng(@edwardzpeng) with Sangfor report this bug
Impact
Logged-in users can access and modify the contents of any file on the system.
The affected versions:
v3.0.0 - v3.6.4
Details
The user 'foo' click 'Job-Template' menu and create a playbook named 'test'. Get the playbook id from the detail page, like 'e0adabef-c38f-492d-bd92-832bacc3df5f'.
An attacker can exploit the directory traversal flaw using the provided URL to access and retrieve the contents of the file.
And It has a similar method to modify the file content.
Patches
Update to safe versions:
v3 version: >= v3.6.5
Workarounds
It is recommended to upgrade the safe versions.
After upgrade, visit the api like
https://jumpserver-ip/api/v1/ops/playbook/e0adabef-c38f-492d-bd92-832bacc3df5f/file/?key=../../../../../../../etc/passwd
, the expected response content below:References
Thanks for lawliet & zhiniang peng(@edwardzpeng) with Sangfor report this bug