Unauthenticated Path Traversal in kareadita/kavita

Valid

Reported on

Aug 6th 2022

Description

A unauthenticated user can read and download files of the application system by abusing the filename parameter, of the /api/image/cover-uploadendpoint, that is not properly sanitized.

Proof of Concept

1 - Send the following request, where the filename has the relative path of the target file.

GET /api/image/cover-upload?filename=<filename>
Host: localhost:5000

arbitrary-file-read

Impact

An unauthenticated attacker can read many files, like configuration, backup, logs and database files, that contain sensitive information about the system, the application and its users.

Occurrences

ImageController.cs L139-L147

We are processing your report and will contact the kareadita/kavita team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the kareadita/kavita team and are waiting to hear back a year ago

Joe Milazzo validated this vulnerability a year ago

vultza has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Joe Milazzo

commented a year ago

Maintainer

Fixed locally

Joe Milazzo marked this as fixed in 0.5.4.1 with commit 9c31f7 a year ago

Joe Milazzo has been awarded the fix bounty

This vulnerability will not receive a CVE

ImageController.cs#L139-L147 has been validated

to join this conversation