Jmix Path Traversal Vulnerability in File Storage

A path traversal vulnerability has been identified in Jmix applications, specifically in versions 1.0.0 prior to 1.6.1 and 2.0.0 prior to 2.3.4. This vulnerability allows attackers to manipulate the FileRef parameter to access arbitrary files on the server where the Jmix application is running, assuming the application server has the necessary permissions. Exploitation can be done by directly modifying the FileRef in the database or by injecting a malicious value into the fileRef parameter of the '/files' endpoint in the generic REST API.

Impact

Successful exploitation of this vulnerability allows for arbitrary file reading from the operating system where the Jmix process is active.

Reproduction

To reproduce this vulnerability, first upload a file to the Jmix application's file storage. Then, either modify the FileRef of that file in the database to include a path traversal payload or send a request to the '/files' endpoint of the generic REST API with a harmful value in the fileRef parameter that exploits the path traversal vulnerability. Ensure that the application server has the necessary permissions to access the targeted files.

Remediation

Users can upgrade to Jmix versions 1.6.2 or 2.4.0. For those unable to upgrade immediately, Jmix provides a workaround that involves creating a custom file storage bean that includes path validation and file size checks. Instructions for implementing this workaround are available in the Jmix documentation.