Primary

Context

JoeyBling Bootplus Path Traversal Vulnerability in SysFileController

Vulnerability

A path traversal vulnerability has been identified in JoeyBling Bootplus versions up to commit 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. The issue arises in the file 'src/main/java/io/github/controller/SysFileController.java', where the download method fails to properly validate the 'name' parameter. This lack of input sanitization allows for the manipulation of file paths, enabling remote attackers to download arbitrary files from the server.

Impact

Exploitation of this vulnerability allows for unauthorized file downloads, potentially leading to the exposure of sensitive information.

Reproduction

To reproduce this vulnerability, send a request to the '/file/download' endpoint with a crafted 'name' parameter that includes an absolute file path. The 'real' parameter should be set to '1'. The server will respond by downloading the specified file, bypassing any intended restrictions.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.5

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.5

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

JoeyBling Bootplus Path Traversal Vulnerability in SysFileController

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating