Impact
It is possible to test for existence and compare hash of the file content to a hash for a file outside the shared folder by exploiting a path traversal in a HEAD request on the shared-folder API.
curl --head -v "http://127.0.0.1:3030/rudder/relay-api/1/shared-folder/%2e%2e%2f/etc/passwd"
The impact is very limited as:
- The
GET endpoint is not affected, so it does not allow accessing the file content
- The
HEAD answer of this API does not give file size, but only compares content to a provided hash
- It only works for files the
rudder-relayd user on the system has access to
- This request is only allowed locally or from an accepted node, managed by the target relay
Patches
Workarounds
None.
References
Impact
It is possible to test for existence and compare hash of the file content to a hash for a file outside the shared folder by exploiting a path traversal in a
HEADrequest on the shared-folder API.curl --head -v "http://127.0.0.1:3030/rudder/relay-api/1/shared-folder/%2e%2e%2f/etc/passwd"The impact is very limited as:
GETendpoint is not affected, so it does not allow accessing the file contentHEADanswer of this API does not give file size, but only compares content to a provided hashrudder-relayduser on the system has access toPatches
Workarounds
None.
References