GHSA-CP65-5M9R-VC2C

Vulnerability from github – Published: 2024-09-18 15:46 – Updated: 2025-04-17 23:00
VLAI?
Summary
Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
Details

A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions).

In the download_private_file method:

def download_private_file
  cama_uploader.enable_private_mode!

  file = cama_uploader.fetch_file("private/#{params[:file]}")

  send_file file, disposition: 'inline'
end

The file parameter is passed to the fetch_file method of the CamaleonCmsLocalUploader class (when files are uploaded locally):

def fetch_file(file_name)
  raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)

  file_name
end

If the file exists it's passed back to the download_private_file method where the file is sent to the user via send_file.

Proof of concept An authenticated user can download the /etc/passwd file by visiting an URL such as:

https:///admin/media/download_private_file?file=../../../../../../etc/passwd Impact This issue may lead to Information Disclosure.

Remediation Normalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.

See also:

CodeQL: Uncontrolled data used in path expression OWASP: Path Traversal

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "camaleon_cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-46987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-18T15:46:53Z",
    "nvd_published_at": "2024-09-18T18:15:07Z",
    "severity": "HIGH"
  },
  "details": "A path traversal vulnerability accessible via MediaController\u0027s download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions).\n\nIn the [download_private_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28) method:\n```ruby\ndef download_private_file\n  cama_uploader.enable_private_mode!\n\n  file = cama_uploader.fetch_file(\"private/#{params[:file]}\")\n\n  send_file file, disposition: \u0027inline\u0027\nend\n```\nThe file parameter is passed to the [fetch_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L27) method of the CamaleonCmsLocalUploader class (when files are uploaded locally):\n```ruby\ndef fetch_file(file_name)\n  raise ActionController::RoutingError, \u0027File not found\u0027 unless file_exists?(file_name)\n\n  file_name\nend\n```\nIf the file exists it\u0027s passed back to the download_private_file method where the file is sent to the user via [send_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L33-L34).\n\nProof of concept\nAn authenticated user can download the /etc/passwd file by visiting an URL such as:\n\nhttps://\u003ccamaleon-host\u003e/admin/media/download_private_file?file=../../../../../../etc/passwd\nImpact\nThis issue may lead to Information Disclosure.\n\nRemediation\nNormalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.\n\nSee also:\n\n[CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)\n[OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)",
  "id": "GHSA-cp65-5m9r-vc2c",
  "modified": "2025-04-17T23:00:53Z",
  "published": "2024-09-18T15:46:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46987"
    },
    {
      "type": "WEB",
      "url": "https://github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e"
    },
    {
      "type": "WEB",
      "url": "https://codeql.github.com/codeql-query-help/ruby/rb-path-injection"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/owen2345/camaleon-cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/CVE-2024-46987.yml"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/attacks/Path_Traversal"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS"
    },
    {
      "type": "WEB",
      "url": "https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.