Skip to main content

Uptime Kuma CVE-2024-56331

MEDIUM
Path Traversal (CWE-22)
2024-12-20 security-advisories@github.com
6.8
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 20, 2024 - 20:15 cve.org
MEDIUM 6.8

DescriptionCVE.org

Uptime Kuma is an open source, self-hosted monitoring tool. An Improper URL Handling Vulnerability allows an attacker to access sensitive local files on the server by exploiting the file:/// protocol. This vulnerability is triggered via the "real-browser" request type, which takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as file:///etc/passwd, an attacker can read sensitive data from the server. This vulnerability arises because the system does not properly validate or sanitize the user input for the URL field. Specifically: 1. The URL input (<input data-v-5f5c86d7="" id="url" type="url" class="form-control" pattern="https?://.+" required="">) allows users to input arbitrary file paths, including those using the file:/// protocol, without server-side validation. 2. The server then uses the user-provided URL to make a request, passing it to a browser instance that performs the "real-browser" request, which takes a screenshot of the content at the given URL. If a local file path is entered (e.g., file:///etc/passwd), the browser fetches and captures the file’s content. Since the user input is not validated, an attacker can manipulate the URL to request local files (e.g., file:///etc/passwd), and the system will capture a screenshot of the file's content, potentially exposing sensitive data. Any authenticated user who can submit a URL in "real-browser" mode is at risk of exposing sensitive data through screenshots of these files. This issue has been addressed in version 1.23.16 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

Uptime Kuma is an open source, self-hosted monitoring tool. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Uptime Kuma is an open source, self-hosted monitoring tool. An Improper URL Handling Vulnerability allows an attacker to access sensitive local files on the server by exploiting the file:/// protocol. This vulnerability is triggered via the "real-browser" request type, which takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as file:///etc/passwd, an attacker can read sensitive data from the server. This vulnerability arises because the system does not properly validate or sanitize the user input for the URL field. Specifically: 1. The URL input (<input data-v-5f5c86d7="" id="url" type="url" class="form-control" pattern="https?://.+" required="">) allows users to input arbitrary file paths, including those using the file:/// protocol, without server-side validation. 2. The server then uses the user-provided URL to make a request, passing it to a browser instance that performs the "real-browser" request, which takes a screenshot of the content at the given URL. If a local file path is entered (e.g., file:///etc/passwd), the browser fetches and captures the file’s content. Since the user input is not validated, an attacker can manipulate the URL to request local files (e.g., file:///etc/passwd), and the system will capture a screenshot of the file's content, potentially exposing sensitive data. Any authenticated user who can submit a URL in "real-browser" mode is at risk of exposing sensitive data through screenshots of these files. This issue has been addressed in version 1.23.16 and all users are advised to upgrade. There are no known workarounds for this vulnerability. Version information: version 1.23.16.

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

Share

CVE-2024-56331 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy