GHSA-FRVJ-CFQ4-3228

Vulnerability from github – Published: 2024-08-02 21:13 – Updated: 2024-11-04 13:53
VLAI?
Summary
Path traversal in Reposilite javadoc file expansion (arbitrary file creation/overwrite) (`GHSL-2024-073`)
Details

Summary

Reposilite v3.5.10 is affected by an Arbitrary File Upload vulnerability via path traversal in expanding of Javadoc archives.

Details

Reposilite provides support for JavaDocs files, which are archives that contain documentation for artifacts. Specifically, JavadocEndpoints.kt controller allows to expand the javadoc archive into the server's file system and return its content. The problem is in the way how the archives are expanded, specifically how the new filename is created:

JavadocContainerService.kt#L127-L136

jarFile.entries().asSequence().forEach { file ->
    if (file.isDirectory) {
        return@forEach
    }

     val path = Paths.get(javadocUnpackPath.toString() + "/" + file.name)

    path.parent?.also { parent -> Files.createDirectories(parent) }
    jarFile.getInputStream(file).copyToAndClose(path.outputStream())
}.asSuccess<Unit, ErrorResponse>()

The file.name taken from the archive can contain path traversal characters, such as '/../../../anything.txt', so the resulting extraction path can be outside the target directory.

Impact

If the archive is taken from an untrusted source, such as Maven Central or JitPack for example, an attacker can craft a special archive to overwrite any local file on Reposilite instance. This could lead to remote code execution, for example by placing a new plugin into the '$workspace$/plugins' directory. Alternatively, an attacker can overwrite the content of any other package.

Note that the attacker can use its own malicious package from Maven Central to overwrite any other package on Reposilite.

Steps to reproduce

  1. Create a malicious javadoc archive that contains filenames with path traversal characters:
zip test-1.0-javadoc.jar ../../../../../../../../tmp/evil.txt index.html

Make sure that ../../../../../../../../tmp/evil.txt and index.html files exist on the system where you create this archive.

  1. Publish this archive to the repository which Reposilite is mirroring, such as Maven Central or JitPack. For the test purposes, I used my own server that imitates the upstream maven repository: http://artsploit.com/maven/com/artsploit/reposilite-zipslip/1.0/reposilite-zipslip-1.0-javadoc.jar

  2. Start Reposilite with 'releases' repository mirroring to 'http://artsploit.com/maven/'

  3. Now, if the attacker send the request to http://localhost:8080/javadoc/releases/com/artsploit/reposilite-zipslip/1.0, the aforementioned archive will be obtained from the http://artsploit.com/maven/com/artsploit/reposilite-zipslip/1.0/reposilite-zipslip-1.0-javadoc.jar address and its 'evil.txt' file will be expanded to '$workspace$/tmp/evil.txt'. Note that to perform this action, an attacker does not need to provide any credentials, as fetching from the mirrored repository does not require authentication.

  4. Confirm that '$workspace$/tmp/evil.txt' is created on the server where Reposilite is running.

Remediation

Normalize (remove all occurrences of /../) the file.name variable before concatenating it with javadocUnpackPath. E.g.:

val path = Paths.get(javadocUnpackPath.toString() + "/" + Paths.get(file.name).normalize().toString())
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.reposilite:reposilite-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.5.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36116"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-02T21:13:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nReposilite v3.5.10 is affected by an Arbitrary File Upload vulnerability via path traversal in expanding of Javadoc archives.\n\n### Details\nReposilite provides support for JavaDocs files, which are archives that contain documentation for artifacts. Specifically, [JavadocEndpoints.kt](https://github.com/dzikoysk/reposilite/blob/68b73f19dc9811ccf10936430cf17f7b0e622bd6/reposilite-backend/src/main/kotlin/com/reposilite/javadocs/infrastructure/JavadocEndpoints.kt#L28) controller allows to expand the javadoc archive into the server\u0027s file system and return its content. The problem is in the way how the archives are expanded, specifically how the new filename is created:\n\n[JavadocContainerService.kt#L127-L136](https://github.com/dzikoysk/reposilite/blob/68b73f19dc9811ccf10936430cf17f7b0e622bd6/reposilite-backend/src/main/kotlin/com/reposilite/javadocs/JavadocContainerService.kt#L127-L136)\n\n```kotlin\njarFile.entries().asSequence().forEach { file -\u003e\n    if (file.isDirectory) {\n        return@forEach\n    }\n\n     val path = Paths.get(javadocUnpackPath.toString() + \"/\" + file.name)\n\n    path.parent?.also { parent -\u003e Files.createDirectories(parent) }\n    jarFile.getInputStream(file).copyToAndClose(path.outputStream())\n}.asSuccess\u003cUnit, ErrorResponse\u003e()\n```\n\nThe `file.name` taken from the archive can contain path traversal characters, such as \u0027/../../../anything.txt\u0027, so the resulting extraction path can be outside the target directory.\n\n### Impact\n\nIf the archive is taken from an untrusted source, such as Maven Central or JitPack for example, an attacker can craft a special archive to overwrite any local file on Reposilite instance. This could lead to remote code execution, for example by placing a new plugin into the \u0027$workspace$/plugins\u0027 directory. Alternatively, an attacker can overwrite the content of any other package.\n\nNote that the attacker can use its own malicious package from Maven Central to overwrite any other package on Reposilite.\n\n### Steps to reproduce\n\n1. Create a malicious javadoc archive that contains filenames with path traversal characters:\n```bash\nzip test-1.0-javadoc.jar ../../../../../../../../tmp/evil.txt index.html\n```\nMake sure that `../../../../../../../../tmp/evil.txt` and `index.html` files exist on the system where you create this archive.\n\n2. Publish this archive to the repository which Reposilite is mirroring, such as Maven Central or JitPack. For the test purposes, I used my own server that imitates the upstream maven repository:\nhttp://artsploit.com/maven/com/artsploit/reposilite-zipslip/1.0/reposilite-zipslip-1.0-javadoc.jar\n\n3. Start Reposilite with \u0027releases\u0027 repository mirroring to \u0027http://artsploit.com/maven/\u0027\n\n4. Now, if the attacker send the request to http://localhost:8080/javadoc/releases/com/artsploit/reposilite-zipslip/1.0, the aforementioned archive will be obtained from  the http://artsploit.com/maven/com/artsploit/reposilite-zipslip/1.0/reposilite-zipslip-1.0-javadoc.jar address and its \u0027evil.txt\u0027 file will be expanded to \u0027$workspace$/tmp/evil.txt\u0027. Note that to perform this action, an attacker does not need to provide any credentials, as fetching from the mirrored repository does not require authentication.\n\n6. Confirm that \u0027$workspace$/tmp/evil.txt\u0027 is created on the server where Reposilite is running.\n\n### Remediation\n\nNormalize (remove all occurrences of `/../`) the `file.name` variable before concatenating it with `javadocUnpackPath`. E.g.:\n\n```kotlin\nval path = Paths.get(javadocUnpackPath.toString() + \"/\" + Paths.get(file.name).normalize().toString())\n```\n\n",
  "id": "GHSA-frvj-cfq4-3228",
  "modified": "2024-11-04T13:53:13Z",
  "published": "2024-08-02T21:13:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dzikoysk/reposilite/security/advisories/GHSA-frvj-cfq4-3228"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dzikoysk/reposilite/commit/848173738e4375482c70365db5cebae29f125eaa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dzikoysk/reposilite"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dzikoysk/reposilite/releases/tag/3.5.12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Path traversal in Reposilite javadoc file expansion (arbitrary file creation/overwrite) (`GHSL-2024-073`)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.