Updated advisory posts against rubysec/ruby-advisory-db@6f90c48

jasnow · RubySec CI · commit 07765d756496 · 2024-10-08T23:16:59.000Z
diff --git a/advisories/_posts/2024-09-18-CVE-2024-46987.md b/advisories/_posts/2024-09-18-CVE-2024-46987.md
@@ -0,0 +1,86 @@
+---
+layout: advisory
+title: 'CVE-2024-46987 (camaleon_cms): Camaleon CMS vulnerable to arbitrary path traversal
+  (GHSL-2024-183)'
+comments: false
+categories:
+- camaleon_cms
+advisory:
+  gem: camaleon_cms
+  cve: 2024-46987
+  ghsa: cp65-5m9r-vc2c
+  url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c
+  title: Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183)
+  date: 2024-09-18
+  description: |
+    A path traversal vulnerability accessible via MediaController's
+    download_private_file method allows authenticated users to download
+    any file on the web server Camaleon CMS is running on (depending
+    on the file permissions).
+
+    In the [download_private_file] method:
+
+    ```ruby
+    def download_private_file
+      cama_uploader.enable_private_mode!
+
+      file = cama_uploader.fetch_file("private/#{params[:file]}")
+
+      send_file file, disposition: 'inline'
+    end
+    ```
+
+    [download_private_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28
+
+    The file parameter is passed to the [fetch_file] method of the
+    CamaleonCmsLocalUploader class (when files are uploaded locally):
+
+    ```ruby
+    def fetch_file(file_name)
+      raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name)
+
+      file_name
+    end
+    ```
+
+    [fetch_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L27
+
+    If the file exists it's passed back to the download_private_file method
+    where the file is sent to the user via [send_file].
+
+    [send_file]: https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L33-L34
+
+    ## Proof of concept
+
+    An authenticated user can download the /etc/passwd file by visiting an URL such as:
+
+        https://<camaleon-host>/admin/media/download_private_file?file=../../../../../../etc/passwd
+
+    ## Impact
+
+    This issue may lead to Information Disclosure.
+
+    ## Remediation
+
+    Normalize file paths constructed from untrusted user input before using
+    them and check that the resulting path is inside the targeted directory.
+    Additionally, do not allow character sequences such as `..` in untrusted
+    input that is used to build paths.
+
+    ## See Also
+
+    * [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
+    * [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+  cvss_v3: 7.7
+  patched_versions:
+  - ">= 2.8.1"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-46987
+    - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c
+    - https://github.com/owen2345/camaleon-cms/commit/071b1b09d6d61ab02a5960b1ccafd9d9c2155a3e
+    - https://codeql.github.com/codeql-query-help/ruby/rb-path-injection
+    - https://owasp.org/www-community/attacks/Path_Traversal
+    - https://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released
+    - https://github.com/advisories/GHSA-cp65-5m9r-vc2c
+---
