Path Traversal in File Upload Functionality
Available publicly on Jul 12 2024
Threat Overview
The vulnerability exists in the file upload functionality, where the application fails to properly sanitize the file path provided by the user. This allows an attacker to traverse directories and upload files to arbitrary locations within the S3 bucket. The impact of this vulnerability includes unauthorized file uploads, potential overwriting of existing files, and creation of new directories.
Attack Scenario
An attacker can exploit this vulnerability by crafting a malicious file upload request with a specially crafted file path. For example, by including '../' sequences in the filename, the attacker can navigate to parent directories and upload files to unintended locations within the S3 bucket. This could lead to unauthorized data access or modification.
Who is affected
Users of the latest version of the software who utilize the file upload functionality are affected by this vulnerability. This includes any deployment where the application interacts with an S3 bucket for file storage.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.