OsamaTaher Java Spring Boot Codebase Path Traversal Vulnerability Allowing Unauthenticated Arbitrary File Read

A path traversal vulnerability has been identified in OsamaTaher/Java-springboot-codebase, prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2. The issue arises from inadequate path traversal protections, which allow absolute path traversal and unauthorized access to sensitive internal files. The vulnerability is present in the 'FileSystemStorageService' component, specifically within the 'loadAsResource' method, where file names are not properly validated before being resolved. This flaw enables access to files outside the intended directory, based on the 'files.store.root' configuration in 'application-dev.properties'. Additionally, the vulnerable endpoint '/api/v1/files/{fileName}' lacks authentication, allowing any user to read files from the server.

Impact

Exploitation of this vulnerability leads to unauthorized access and disclosure of internal files from the server's file system, potentially including sensitive information.

Reproduction

To reproduce this vulnerability, send a GET request to the '/api/v1/files/{fileName}' endpoint, replacing '{fileName}' with an absolute path to a file, such as '/etc/passwd'. The request will bypass the insufficient path validation and return the contents of the specified file.

Remediation

Users can update to the latest commit in the OsamaTaher/Java-springboot-codebase repository, which includes a patch for this vulnerability.