Relative Path Traversal in jitsi/jicofo

Valid

Reported on

Nov 15th 2021

Description

misconfigurations of nginx lead to a path traversal vulnerability.

Proof of Concept

according to https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md?plain=1#L251

a request to /shibboleth-sp../ can get any file under /usr/share

Impact

An attacker can access files on the web server to which they should not have access.

We are processing your report and will contact the jitsi/jicofo team within 24 hours. a year ago
pupu.eth submitted a
patch
a year ago
We have contacted a member of the jitsi/jicofo team and are waiting to hear back a year ago
jitsi/jicofo maintainer validated this vulnerability a year ago
pupu.eth has been awarded the disclosure bounty
The fix bounty is now up for grabs
jitsi/jicofo maintainer marked this as fixed with commit f4ba60 a year ago
pupu.eth has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation