Collabora Online Path Traversal Vulnerability Allowing Arbitrary File Write via Malicious WOPI Server

A path traversal vulnerability has been identified in Collabora Online versions prior to 24.04.13.1, 23.05.19, and 22.05.25. This flaw arises in the CheckFileInfo BaseFileName field processed from WOPI servers, allowing files to be written to any location where the user ID running Collabora Online has write permissions, provided that a malicious WOPI server supplies such a response. Exploitation can be achieved by combining this vulnerability with a Time of Check, Time of Use DNS lookup issue involving a WOPI server address controlled by the attacker, enabling the delivery of a harmful response to a Collabora Online instance.

Impact

Exploitation of this vulnerability could lead to arbitrary file writes outside the intended directory, potentially allowing for the execution of malicious files or causing other unintended consequences on the server.

Remediation

Users can upgrade to Collabora Online versions 24.04.13.1, 23.05.19, or 22.05.25 to address this vulnerability.