GHSA-wf69-r4mx-43rr

Suggest an improvement
Source
https://github.com/advisories/GHSA-wf69-r4mx-43rr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wf69-r4mx-43rr/GHSA-wf69-r4mx-43rr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wf69-r4mx-43rr
Aliases
  • CVE-2026-33692
Published
2026-06-22T19:54:15Z
Modified
2026-06-22T20:00:10.719399379Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration
Details

Vulnerability Details

CWE: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory

The official docker-compose.yml (line 61) mounts the entire project root directory as the Apache document root:

volumes:
  - "./:/var/www/html/AVideo"

This causes the .env file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles.

Exposed Information

An unauthenticated request to GET /.env returns:

DB_MYSQL_HOST=database
DB_MYSQL_USER=avideo
DB_MYSQL_PASSWORD=avideo
SYSTEM_ADMIN_PASSWORD=admin123
TLS_CERTIFICATE_FILE=/etc/apache2/ssl/localhost.crt
TLS_CERTIFICATE_KEY=/etc/apache2/ssl/localhost.key
NETWORK_SUBNET=172.30.0.0/16

Steps to Reproduce

Prerequisites

  • AVideo deployed using the official docker-compose.yml
  • No modifications to the default configuration

Steps

  1. Deploy AVideo using docker compose up -d
  2. Send: curl http://target/.env
  3. The full .env file contents are returned, including database credentials and admin password

Impact

  • Attacker: Unauthenticated (any remote user)
  • Victim: AVideo server and database
  • Specific damage: Attacker obtains database credentials (DB_MYSQL_USER, DB_MYSQL_PASSWORD), admin password (SYSTEM_ADMIN_PASSWORD), and internal network topology (NETWORK_SUBNET). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network.

Proposed Fix

Add a .htaccess rule to block access to dotfiles:

# Block access to hidden files (.env, .git, etc.)
<FilesMatch "^\.">
    Order Allow,Deny
    Deny from all
</FilesMatch>

Or configure Apache to deny dotfile access in the virtual host configuration.

Database specific 
{
    "github_reviewed_at": "2026-06-22T19:54:15Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-20"
    ],
    "nvd_published_at": null,
    "github_reviewed": true
}
References

Affected packages

Packagist / wwbn/avideo

Package

Name
wwbn/avideo
Purl
pkg:composer/wwbn%2Favideo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
29.0

Affected versions

10.*
10.4
10.8
Other
11
11.*
11.1
11.1.1
11.5
11.6
12.*
12.4
14.*
14.3
14.3.1
14.4
18.*
18.0
21.*
21.0
22.*
22.0
24.*
24.0
25.*
25.0
26.*
26.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wf69-r4mx-43rr/GHSA-wf69-r4mx-43rr.json"