Path Traversal Leading to Remote Code Execution
A path traversal vulnerability in version 9.4.0 allows attackers to overwrite the `configs/config.yaml` file via the `/set_personality_config` endpoint, leading to remote code execution. This issue was patched in the latest version.
Available publicly on Jun 15 2024
Threat Overview
The vulnerability arises from improper sanitization of the category input in the /set_personality_config endpoint. By exploiting this, an attacker can manipulate the file path to overwrite the configs/config.yaml file. This allows the attacker to change server configurations, enabling remote code execution through the /execute_code endpoint.
Attack Scenario
An attacker sends a crafted POST request to the /set_personality_config endpoint with an empty category and a manipulated name to overwrite the configs/config.yaml file. The attacker then restarts the service to apply the new configuration, which disables code validation and allows remote code execution. Finally, the attacker sends a POST request to the /execute_code endpoint to run arbitrary code on the server.
Who is affected
Users running version 9.4.0 of the software who expose the /set_personality_config endpoint are affected by this vulnerability.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.