Relative Path Traversal in jitsi/jicofo


Reported on

Nov 15th 2021


misconfigurations of nginx lead to a path traversal vulnerability.

Proof of Concept

according to

a request to /shibboleth-sp../ can get any file under /usr/share


An attacker can access files on the web server to which they should not have access.

We are processing your report and will contact the jitsi/jicofo team within 24 hours. 19 days ago
Dig2 submitted a
19 days ago
We have contacted a member of the jitsi/jicofo team and are waiting to hear back 18 days ago
jitsi/jicofo maintainer validated this vulnerability 18 days ago
Dig2 has been awarded the disclosure bounty
The fix bounty is now up for grabs
jitsi/jicofo maintainer confirmed that a fix has been merged on f4ba60 17 days ago
Dig2 has been awarded the fix bounty