GHSA-cp65-5m9r-vc2c

Suggest an improvement
Source
https://github.com/advisories/GHSA-cp65-5m9r-vc2c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-cp65-5m9r-vc2c/GHSA-cp65-5m9r-vc2c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cp65-5m9r-vc2c
Aliases
Published
2024-09-18T15:46:53Z
Modified
2024-09-18T19:36:20.500272Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
Details

A path traversal vulnerability accessible via MediaController's downloadprivatefile method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions).

In the downloadprivatefile method:

def download_private_file
  cama_uploader.enable_private_mode!

  file = cama_uploader.fetch_file("private/#{params[:file]}")

  send_file file, disposition: 'inline'
end

The file parameter is passed to the fetch_file method of the CamaleonCmsLocalUploader class (when files are uploaded locally):

def fetch_file(file_name)
  raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)

  file_name
end

If the file exists it's passed back to the downloadprivatefile method where the file is sent to the user via send_file.

Proof of concept An authenticated user can download the /etc/passwd file by visiting an URL such as:

https://<camaleon-host>/admin/media/downloadprivatefile?file=../../../../../../etc/passwd Impact This issue may lead to Information Disclosure.

Remediation Normalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.

See also:

CodeQL: Uncontrolled data used in path expression OWASP: Path Traversal

References

Affected packages

RubyGems / camaleon_cms

Package

Name
camaleon_cms
Purl
pkg:gem/camaleon_cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.1

Affected versions

0.*

0.0.1
0.0.2
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.2.1

1.*

1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0

2.*

2.0.1
2.0.2
2.0.3
2.0.4
2.0.4.1
2.1.0
2.1.1
2.1.1.4
2.1.2.0
2.1.2.1
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.7.1
2.3.7.2
2.4.0
2.4.1
2.4.2
2.4.3
2.4.3.1
2.4.3.2
2.4.3.3
2.4.3.4
2.4.3.5
2.4.3.6
2.4.3.7
2.4.3.8
2.4.3.9
2.4.3.10
2.4.3.11
2.4.3.12
2.4.3.13
2.4.4
2.4.4.1
2.4.4.2
2.4.4.3
2.4.4.4
2.4.4.5
2.4.4.6
2.4.4.7
2.4.5
2.4.5.1
2.4.5.2
2.4.5.3
2.4.5.4
2.4.5.5
2.4.5.7
2.4.5.8
2.4.5.9
2.4.5.10
2.4.5.11
2.4.5.12
2.4.5.13
2.4.5.14
2.4.6.0
2.4.6.1
2.4.6.2
2.4.6.3
2.4.6.4
2.4.6.5
2.4.6.6
2.4.6.7
2.4.6.8
2.4.6.9
2.5.0
2.5.1
2.5.2
2.5.3
2.5.3.1
2.6.0
2.6.0.1
2.6.1
2.6.2
2.6.3
2.6.4
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.8.0