PartKeepr v1.4.0 url attachment 'add parts' - LFI

Summary

NamePartKeepr v1.4.0 url attachment 'add parts' - LFI
Code nameHendrix
ProductPartKeepr
Affected versionsv1.4.0
StatePublic
Release date2022-01-09

Vulnerability

KindLocal file inclusion
Rule123. Local file inclusion
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSSv3 Base Score6.5
Exploit availableNo
CVE ID(s)CVE-2022-22701

Description

In PartKeepr versions up to and including 1.4.0, the functionality to load attachments using a URL while creating a part, allows the use of the 'file://' URI scheme, allowing an authenticated user to read local files.

Proof of Concept

  • Go to 'Add Part'.
  • Click on 'Attachments'.
  • Click on 'Add'.
  • Fill the 'URL' field with "file:///etc/passwd".
  • Click on 'Upload'.
  • Click on the uploaded file in order to see the content.

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

By 2022-01-04 there is not a patch resolving the issue.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://partkeepr.org/

Issue https://github.com/partkeepr/PartKeepr/issues/1229/

Timeline

Time-lapse-logo

2022-01-03

Vulnerability discovered.

Time-lapse-logo

2022-01-04

Vendor contacted.

Time-lapse-logo

2022-01-09

Public Disclosure.