Impact
A path traversal vulnerability exists in the backup export functionality of EDDI, as implemented in RestExportService.java. This vulnerability allows an attacker to access sensitive files on the server by manipulating the botFilename parameter in requests. The application fails to sanitize user input, enabling malicious inputs such as ..%2f..%2fetc%2fpasswd to access arbitrary files.
However, the severity of this vulnerability is significantly limited because EDDI typically runs within a Docker container, which provides additional layers of isolation and restricted permissions.
Specifically:
- The application runs as a non-root user (
USER 185), reducing the attacker's ability to access critical system files within the container
- The containerized environment isolates the application from the host system, preventing access to host-level files unless explicitly mounted as a volume
- The attacker can only access files that exist within the container and are readable by the application's user (
USER 185)
As a result, while this vulnerability exposes files within the container, it does not inherently threaten the underlying host system or other containers.
This vulnerability can potentially lead to:
- Unauthorized access to sensitive files within the container (e.g., application configuration files, logs, or credentials stored in the container)
- Exposure of application secrets such as API keys, credentials, or encryption keys stored in the container
- Reconnaissance of the container’s structure, potentially aiding in further attacks on the application or its services
- Limited denial of service (DoS) if critical container files are tampered with or deleted
Patches
A patch is required to sanitize and validate the botFilename input parameter. Users should ensure they are using the patched version once available. For temporary mitigation, access to the vulnerable endpoint should be restricted through firewall rules or authentication mechanisms.
Workarounds
As a temporary workaround:
- Restrict access to the /backup/export endpoint using network or application-level firewalls.
- Use input validation middleware to reject malicious input patterns that include ../ or URL-encoded traversal sequences (..%2f).
References
xbow-security Reporter
Impact
A path traversal vulnerability exists in the backup export functionality of EDDI, as implemented in
RestExportService.java. This vulnerability allows an attacker to access sensitive files on the server by manipulating thebotFilenameparameter in requests. The application fails to sanitize user input, enabling malicious inputs such as..%2f..%2fetc%2fpasswdto access arbitrary files.However, the severity of this vulnerability is significantly limited because EDDI typically runs within a Docker container, which provides additional layers of isolation and restricted permissions.
Specifically:
USER 185), reducing the attacker's ability to access critical system files within the containerUSER 185)As a result, while this vulnerability exposes files within the container, it does not inherently threaten the underlying host system or other containers.
This vulnerability can potentially lead to:
Patches
A patch is required to sanitize and validate the botFilename input parameter. Users should ensure they are using the patched version once available. For temporary mitigation, access to the vulnerable endpoint should be restricted through firewall rules or authentication mechanisms.
Workarounds
As a temporary workaround:
References