OpenC3 COSMOS Directory Traversal Vulnerability in Script API

A directory traversal vulnerability has been identified in OpenC3 COSMOS version 6.0.0, specifically within the '/script-api/scripts/' endpoint. This vulnerability allows authenticated users to read arbitrary files from the Docker container where the application is running. The issue arises because the file path provided by the user is not properly sanitized, enabling the exploitation of path traversal to access files outside the intended directory.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files within the Docker container, including environment variables that may contain confidential information such as service credentials.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/script-api/scripts/' endpoint with a crafted file path that includes directory traversal sequences. This request can be made using any HTTP client or tool that allows for the manipulation of request parameters. Once the request is sent, the response will include the contents of the requested file, demonstrating the successful exploitation of the directory traversal vulnerability.

Remediation

It is recommended to implement proper input validation to sanitize file path parameters and prevent directory traversal. Additionally, user file read and write operations should be restricted to designated directories within the container. Finally, the Docker container should be configured to run as a non-root user to enhance security.