Fedora Repository Default Credentials and Insecure Archive Extraction Vulnerability

A vulnerability exists in Fedora Repository versions 3.8.x, specifically in the now-unmaintained 3.8.1 release, which includes a service account, fedoraIntCallUser, with default credentials. This account has the privilege to read local files by manipulating datastreams. Additionally, Fedora 3.8.x is susceptible to path traversal vulnerabilities when extracting uploaded archive files, such as ZIP files. An attacker could exploit these issues to read sensitive data and execute arbitrary commands with the privileges of the Java web application server.

Impact

Exploitation of this vulnerability could lead to unauthorized access to local files and the execution of arbitrary commands on the server, under the context of the affected Java web application.

Reproduction

The vulnerability can be reproduced by logging in with the default credentials of the fedoraIntCallUser account on a Fedora Repository 3.8.x instance. Once logged in, archives can be uploaded and crafted to exploit the path traversal vulnerability, extracting files that can be accessed via an unauthenticated GET request.

Remediation

Users are advised to migrate to a currently supported version of Fedora Repository. The latest version as of January 2025 is 6.5.1.