Joplin Server Path Traversal Vulnerability Allowing Arbitrary File Read
Vulnerability
A path traversal vulnerability has been identified in Joplin Server versions prior to 3.3.3. The issue arises in the default route's `findLocalFile` function, which improperly validates file paths for static files starting with `css/pluginAssets` or `js/pluginAssets`. This oversight allows attackers to read files outside the intended directories by exploiting the path traversal flaw. The vulnerability has been patched in version 3.3.3.
Impact
Exploitation of this vulnerability allows for arbitrary file read, enabling attackers to access files outside the application's intended directory structure.
Reproduction
The vulnerability can be reproduced by sending a request to the Joplin Server with a static file path that includes `css/pluginAssets` or `js/pluginAssets`, followed by a traversal sequence (such as `../../../../../../../../etc/passwd`) to access sensitive files like the password file.
Remediation
Users are advised to update Joplin Server to version 3.3.3 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.