AlanBinu007 Spring-Boot-Advanced-Projects Path Traversal Vulnerability in Upload Profile API
Vulnerability
A critical path traversal vulnerability has been identified in AlanBinu007's Spring-Boot-Advanced-Projects repository, specifically in versions up to 3.1.3. The issue arises in the Upload Profile API Endpoint within the UserProfileController.java file. The vulnerability is triggered by manipulating the 'file' argument in the 'uploadUserProfileImage' function, allowing attackers to traverse directories and access arbitrary files on the server. This vulnerability can be exploited remotely, and a proof-of-concept exploit is publicly available.
Impact
Exploitation of this vulnerability allows for unauthorized file access and manipulation on the server, potentially leading to further attacks or data exposure.
Reproduction
To reproduce this vulnerability, send a request to the '/api/v1/user-profile' endpoint with a crafted 'file' parameter that includes path traversal sequences. This will exploit the lack of proper path validation, allowing files to be uploaded or deleted from arbitrary locations on the server.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.