Unauthenticated Path Traversal in kareadita/kavita

Valid

Reported on

Aug 6th 2022


Description

A unauthenticated user can read and download files of the application system by abusing the filename parameter, of the /api/image/cover-uploadendpoint, that is not properly sanitized.

Proof of Concept

1 - Send the following request, where the filename has the relative path of the target file.

GET /api/image/cover-upload?filename=<filename>
Host: localhost:5000

arbitrary-file-read

Impact

An unauthenticated attacker can read many files, like configuration, backup, logs and database files, that contain sensitive information about the system, the application and its users.

We are processing your report and will contact the kareadita/kavita team within 24 hours. 2 months ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back a month ago
Joseph Milazzo validated this vulnerability a month ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joseph Milazzo
a month ago

Maintainer


Fixed locally

Joseph Milazzo confirmed that a fix has been merged on 9c31f7 a month ago
Joseph Milazzo has been awarded the fix bounty
to join this conversation