Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability
- Severity:
- High
Description
A logged-in user with any role can delete arbitrary files on the filesystem by calling the sync/clean_sync_dir endpoint. The dir_name POST parameter is not validated/sanitized and is used to construct the syncDir that is deleted by calling fs.rm.
Recommendation
Update the @saltcorn/server package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.0.0-beta.15
- Patched version(s): 1.0.0-beta.16
References
Related Issues
- matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal - CVE-2024-50336
- @saltcorn/server arbitrary file zip read and download when downloading auto backups - Vulnerability
- Langchain Path Traversal vulnerability - CVE-2024-7774
- mapshaper Path Traversal vulnerability - CVE-2024-1163
- Tags:
- npm
- @saltcorn/server
Anything's wrong? Let us know Last updated on October 08, 2024