Impact

It is possible to write files outside of the git configuration repository (by default /var/rudder/configuration-repository/) using a path traversal when creating a rule or parameter from Rudder Rest API. With the following request:

curl -H "X-API-TOKEN: ***" -H "Content-Type: application/json" -X PUT https://myrudderserver.com/rudder/api/latest/rules --data '{"id":"../../../../etc/app/settings", "displayName": "test traversal"}'

we could create the /etc/app/settings.xml file, and override it's content with the one for the rule if the file already exists.

Impact is limited because it only affects files or directories ending with .xml. Privilege escalation is also limited as exploitation requires write access on rules or parameters.

Patches

• #5661

Workarounds

None.

References

• #24856 on the bugtracker