Harness Open Source Gitness Git LFS Server Arbitrary File Write Vulnerability

An arbitrary file write vulnerability has been identified in the Open Source Harness Git LFS server (Gitness) prior to version 3.3.0. The issue arises from improper sanitization of the upload path in the API that handles file uploads via Git LFS. This vulnerability allows a malicious authenticated user with access to the Gitness server API to craft an upload request that writes arbitrary files to any location on the file system, potentially compromising the server. Users of Git LFS are affected by this vulnerability.

Impact

Exploitation of this vulnerability could lead to unauthorized writing of files on the server, with the potential to compromise the server's integrity and availability.

Remediation

Users are advised to upgrade to version 3.3.0, as all previous versions are affected by this vulnerability.