Primary

Context

Tandoor Recipes Local File Disclosure Vulnerability

Vulnerability

Patched

A local file disclosure vulnerability exists in Tandoor Recipes versions through 1.5.23. The issue arises from the external storage feature, which allows users to enumerate and access the content of files on the server. This vulnerability can be exploited to read files from various directories, including sensitive locations like '/etc' and user home directories.

Impact

Exploitation of this vulnerability allows for unauthorized reading of any file on the server, including sensitive system files and user data.

Reproduction

To reproduce this vulnerability, create a new storage backend in Tandoor Recipes. Once the backend is set up, files from any directory can be accessed through the application. For example, files in the '/etc' directory can be enumerated and their contents retrieved using the Tandoor API.

Remediation

Users can update to Tandoor Recipes version 1.5.28 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.5

exploitability

6.6

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.5

exploitability

6.6

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tandoor Recipes Local File Disclosure Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Tandoor Recipes

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating