Linkwarden Local File Inclusion Vulnerability Allowing Data Leakage
Vulnerability
A local file inclusion vulnerability has been identified in Linkwarden version 2.10.2. The issue arises because the server accepts links in the 'file://' format, such as 'file:///etc/passwd', and fails to validate them before passing to parsers and Playwright. This lack of validation can lead to unauthorized access to other users' links and, in some cases, environment secrets. The vulnerability allows an attacker to exploit the incremental and easily brute-forgeable 'userIds' and 'fileIds' to access and leak data from other users.
Impact
Exploitation of this vulnerability could result in unauthorized access to and leakage of other users' data, including potentially sensitive configuration files and secrets.
Reproduction
To reproduce this vulnerability, create a link in Linkwarden version 2.10.2 that points to a 'file://' URL. Once the link is saved, the contents of the file can be accessed through the application. This can be demonstrated by linking to a file that contains sensitive information, such as the 'passwd' file or other configuration files that may hold secrets.
Remediation
Users can upgrade to Linkwarden version 2.10.3, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.