logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-46987 camaleon_cms

Package

Manager: gem
Name: camaleon_cms
Vulnerable Version: >=0 <2.8.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00069 pctl0.21538

Details

Camaleon CMS vulnerable to arbitrary path traversal (GHSL-2024-183) A path traversal vulnerability accessible via MediaController's download_private_file method allows authenticated users to download any file on the web server Camaleon CMS is running on (depending on the file permissions). In the [download_private_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L28) method: ```ruby def download_private_file cama_uploader.enable_private_mode! file = cama_uploader.fetch_file("private/#{params[:file]}") send_file file, disposition: 'inline' end ``` The file parameter is passed to the [fetch_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/uploaders/camaleon_cms_local_uploader.rb#L27) method of the CamaleonCmsLocalUploader class (when files are uploaded locally): ```ruby def fetch_file(file_name) raise ActionController::RoutingError, 'File not found' unless file_exists?(file_name) file_name end ``` If the file exists it's passed back to the download_private_file method where the file is sent to the user via [send_file](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L33-L34). Proof of concept An authenticated user can download the /etc/passwd file by visiting an URL such as: https://<camaleon-host>/admin/media/download_private_file?file=../../../../../../etc/passwd Impact This issue may lead to Information Disclosure. Remediation Normalize file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths. See also: [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)

Metadata

Created: 2024-09-18T15:46:53Z
Modified: 2025-04-17T23:00:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-cp65-5m9r-vc2c/GHSA-cp65-5m9r-vc2c.json
CWE IDs: ["CWE-200", "CWE-22"]
Alternative ID: GHSA-cp65-5m9r-vc2c
Finding: F063
Auto approve: 1