Path Traversal in getFullPath Method
The `getFullPath` method in version 0.2.5 of the software is vulnerable to path traversal attacks, allowing attackers to save, read, and delete files anywhere in the filesystem. This issue has not yet been patched.
Available publicly on Sep 12 2024
Threat Overview
The vulnerability in the getFullPath method allows an attacker to perform path traversal attacks. By manipulating the file paths, an attacker can save files, read files, and delete files outside the intended directory. This can lead to unauthorized access to sensitive information, data corruption, and potential denial of service by deleting critical files.
Attack Scenario
An attacker could exploit this vulnerability by providing a specially crafted file path to the mset, mget, or mdelete methods. For example, by using ../../../../ in the file path, the attacker can navigate to any directory on the filesystem. This allows the attacker to save malicious files, read sensitive information, or delete important files.
Who is affected
Users of version 0.2.5 of the software who utilize the getFullPath method for file operations are affected. This includes any applications or services that rely on this method for saving, reading, or deleting files.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.