OpenC3 COSMOS Directory Traversal Vulnerability in Tables API Endpoint

A directory traversal vulnerability has been identified in the OpenC3 COSMOS command and control software, specifically in version 6.0.0. The issue resides within the 'openc3-api/tables' API endpoint, where improper input validation allows authenticated users to traverse directories and access arbitrary files on the server.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files within the application's Docker container, potentially including confidential information or application secrets.

Reproduction

The vulnerability can be reproduced by sending a GET request to the 'openc3-api/tables' endpoint with a crafted file path that includes directory traversal sequences. This request can be made using any HTTP client or tool that allows for manual request modification, such as Postman or curl. Once the request is sent, the response will contain a base64-encoded representation of the requested file's contents, which can be decoded to retrieve the original file data.

Remediation

It is recommended to sanitize all user input, particularly URL parameters, to prevent path traversal attacks. Additionally, file read and write operations should be restricted to designated directories within the Docker container. Finally, the container should be configured to run as a non-root user to enhance security.