CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
24.9%
A path traversal vulnerability accessible via MediaController’s download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions).
In the download_private_file method:
def download_private_file
cama_uploader.enable_private_mode!
file = cama_uploader.fetch_file("private/#{params[:file]}")
send_file file, disposition: 'inline'
end
The file parameter is passed to the fetch_file method of the CamaleonCmsLocalUploader class (when files are uploaded locally):
def fetch_file(file_name)
raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)
file_name
end
If the file exists it’s passed back to the download_private_file method where the file is sent to the user via send_file.
Proof of concept
An authenticated user can download the /etc/passwd file by visiting an URL such as:
https://<camaleon-host>/admin/media/download_private_file?file=…/…/…/…/…/…/etc/passwd
Impact
This issue may lead to Information Disclosure.
Remediation
Normalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as … in untrusted input that is used to build paths.
See also:
CodeQL: Uncontrolled data used in path expression
OWASP: Path Traversal
Vendor | Product | Version | CPE |
---|---|---|---|
tuzitio | camaleon_cms | * | cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:* |
codeql.github.com/codeql-query-help/ruby/rb-path-injection
github.com/advisories/GHSA-cp65-5m9r-vc2c
github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e
github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c
nvd.nist.gov/vuln/detail/CVE-2024-46987
owasp.org/www-community/attacks/Path_Traversal
www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
24.9%