GHSA SYNC: 1 brand new advisory (#825)

--------- Co-authored-by: Postmodern <[email protected]>
rubysec · Oct 8, 2024 · 6f90c48 · 6f90c48
1 parent 881667a
commit 6f90c48
Showing 1 changed file with 78 additions and 0 deletions.
diff --git a/gems/camaleon_cms/CVE-2024-46987.yml b/gems/camaleon_cms/CVE-2024-46987.yml
@@ -0,0 +1,78 @@
+---
+gem: camaleon_cms
+cve: 2024-46987
+ghsa: cp65-5m9r-vc2c
+url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c
+title: Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
+date: 2024-09-18
+description: |
+  A path traversal vulnerability accessible via MediaController's
+  download_private_file method allows authenticated users to download
+  any file on the web server Camaleon CMS is running on (depending
+  on the file permissions).
+
+  In the [download_private_file] method:
+
+  ```ruby
+  def download_private_file
+    cama_uploader.enable_private_mode!
+
+    file = cama_uploader.fetch_file("private/#{params[:file]}")
+
+    send_file file, disposition: 'inline'
+  end
+  ```
+
+  [download_private_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28
+
+  The file parameter is passed to the [fetch_file] method of the
+  CamaleonCmsLocalUploader class (when files are uploaded locally):
+
+  ```ruby
+  def fetch_file(file_name)
+    raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)
+
+    file_name
+  end
+  ```
+
+  [fetch_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L27
+
+  If the file exists it's passed back to the download_private_file method
+  where the file is sent to the user via [send_file].
+
+  [send_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L33-L34
+
+  ## Proof of concept
+
+  An authenticated user can download the /etc/passwd file by visiting an URL such as:
+
+      https://<camaleon-host>/admin/media/download_private_file?file=../../../../../../etc/passwd
+
+  ## Impact
+
+  This issue may lead to Information Disclosure.
+
+  ## Remediation
+
+  Normalize file paths constructed from untrusted user input before using
+  them and check that the resulting path is inside the targeted directory.
+  Additionally, do not allow character sequences such as `..` in untrusted
+  input that is used to build paths.
+
+  ## See Also
+
+  * [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
+  * [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+cvss_v3: 7.7
+patched_versions:
+  - ">= 2.8.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-46987
+    - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c
+    - https://github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e
+    - https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
+    - https://owasp.org/www-community/attacks/Path_Traversal
+    - https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released
+    - https://github.com/advisories/GHSA-cp65-5m9r-vc2c