Gridea 0.9.3 - Local File Read
|Name||Gridea 0.9.3 - Local File Read|
|Affected versions||Version 0.9.3|
|Kind||Insecure or unset HTTP headers - Content-Security-Policy|
|Rule||043. Insecure or unset HTTP headers - Content-Security-Policy|
|CVSSv3 Base Score||5.5|
Gridea version 0.9.3 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Gridea. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.
This vulnerability occurs because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them. Because of the above, an attacker can embed malicious JS code in a markdown file and send it to the victim to view and thus achieve an exfiltration of their local files.
To exploit this vulnerability, you must send the following file to a user to open
with Gridea. The exploit is triggered when the user presses
CTRL+P or simply
<img src="1" onerror='fetch("file:///etc/private").then(data => data.text()).then(leak => alert(leak));'/>
Our security policy
We have reserved the CVE-2022-40275 to refer to this issue from now on.
Version: Gridea 0.9.3
Operating System: GNU/Linux
There is currently no patch available for this vulnerability.
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
Vendor page https://github.com/getgridea/gridea