[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CVE-2023-46307
From: Kevin <krandall2013 () gmail ! com>
Date: 2023-11-23 21:30:03
Message-ID: CAM-upGp6smfr60vEJZtXR-9mQACx33wxQWVo3dq69_0DZtfbXA () mail ! gmail ! com
[Download RAW message or body]
> An issue was discovered in server.js in etcd-browser 87ae63d75260. By
> supplying a /../../../ Directory Traversal input to the URL's GET
> request while connecting to the remote server port specified during
> setup, an attacker can retrieve local operating system files from the
> remote system.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Directory Traversal
>
> ------------------------------------------
>
> [Vendor of Product]
> https://hub.docker.com/r/buddho/etcd-browser
>
> ------------------------------------------
>
> [Affected Product Code Base]
> etcd-browser - Unknown
>
> ------------------------------------------
>
> [Affected Component]
> the server.js file does not validate the path for files.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Allow for a remote arbitrary user to obtain local operating system files
>
> ------------------------------------------
>
> [Attack Vectors]
> The attacker must supply a /../../ technique to the server application
running on the remote port specified during setup
>
> ------------------------------------------
>
> [Reference]
> https://hub.docker.com/r/buddho/etcd-browser
> https://hub.docker.com/r/buddho/etcd-browser/tags
>
> ------------------------------------------
>
> [Discoverer]
> Kevin Randall
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic