Plane v0.7.1 - Unauthorized access to files
Summary
| Name | Plane v0.7.1 - Insecure file upload |
| Code name | |
| Product | Plane |
| Affected versions | 0.7.1 |
| State | Public |
| Release date | 2023-07-14 |
Vulnerability
| Kind | Insecure file upload |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
| CVSSv3.1 Base Score | 7.5 |
| Exploit available | Yes |
| CVE ID(s) |
Description
Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users.
Vulnerability
In the application users can change the photo of their avatar and upload different types of files of different extensions which are all stored in the same folder and there is no restriction. Any unauthenticated person can access and download the resources. Knowing that Plane is created to create issues on projects and manage them, this is critical, because if bugs are reported on an application, an attacker can obtain the evidence and files of the same issue.
Exploit
Evidence of exploitation
By accessing the /uploads/ directory you can see all the files stored on the server.
Our security policy
We have reserved the CVE-2023-2268 to refer to this issue from now on.
System Information
-
Version: Plane 0.7.1
-
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Lautaro Casanova from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/makeplane/plane
Timeline
2023-06-19
Vulnerability discovered.
2023-06-20
Vendor contacted.
2023-06-23
Vendor Confirmed the vulnerability.
2023-07-14
Public Disclosure.
