Arbitrary File Write via /v1/runs API Endpoint
A vulnerability in version v2.2.4 of the software allows attackers to exploit path traversal in the /v1/runs API endpoint, leading to arbitrary file writes. This issue was patched in a subsequent release.
Available publicly on Jun 21 2024
Threat Overview
The vulnerability arises from the automatic extraction of tar.gz files by the LightningApp's plugin server. Attackers can craft malicious tar.gz files with embedded path traversal sequences, allowing them to write arbitrary files to the victim's file system. This can lead to severe consequences, including remote code execution (RCE) if malicious files are written to sensitive directories.
Attack Scenario
An attacker sets up a malicious tar.gz file containing a payload with path traversal sequences. They then host this file on a server and trick the victim's LightningApp into downloading and extracting it. The malicious file is written to a sensitive directory on the victim's system, potentially leading to RCE or other malicious actions.
Who is affected
Users running LightningApp with the plugin server enabled in version v2.2.4 are affected. This includes any deployments where the plugin server is exposed to untrusted networks or users.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.