PartKeepr v1.4.0 url attachment 'add parts' - LFI
6,5
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
PartKeepr v1.4.0 url attachment 'add parts' - LFI
Code name
State
Public
Release date
9 de jan. de 2022
Affected product
PartKeepr
Affected version(s)
v1.4.0
Vulnerability name
Local file inclusion
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS v3.1 base score
6.5
Exploit available
No
CVE ID(s)
Description
In PartKeepr versions up to and including 1.4.0, the functionality to load attachments using a URL while creating a part, allows the use of the 'file://' URI scheme, allowing an authenticated user to read local files.
Proof of Concept
Go to 'Add Part'.
Click on 'Attachments'.
Click on 'Add'.
Fill the 'URL' field with "file:///etc/passwd".
Click on 'Upload'.
Click on the uploaded file in order to see the content.
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
By 2022-01-04 there is not a patch resolving the issue.
References
Timeline
Vulnerability discovered
3 de jan. de 2022
Vendor contacted
4 de jan. de 2022
Public disclosure
9 de jan. de 2022
