Tautulli Path Traversal Vulnerability in Image API Endpoint Allowing Arbitrary File Read

A path traversal vulnerability has been identified in Tautulli versions through 2.15.3. The issue resides in the '/image' API endpoint, which is accessible without authentication. This endpoint is intended to serve static images from the application's data directory for use in the user interface. However, due to insufficient input validation, unauthenticated attackers can manipulate the image path parameters to traverse the file system and read arbitrary files. Exploitation of this vulnerability could lead to the unauthorized access of sensitive information, such as the 'tautulli.db' SQLite database, which contains active JWT tokens, and the 'config.ini' file, which holds the hashed admin password, JWT token secret, and Plex Media Server connection details. If the admin password is cracked or a valid JWT token is available, an attacker could escalate privileges to gain administrative control over Tautulli.

Impact

Successful exploitation allows unauthenticated attackers to read arbitrary files from the server's file system, potentially leading to unauthorized access of sensitive application data, such as database files containing JWT tokens and configuration files with critical server details. This could further allow an attacker to gain administrative privileges on the Tautulli application.

Reproduction

To reproduce this vulnerability, send a GET request to the '/image' endpoint with a crafted path that includes traversal sequences (such as '../') to access sensitive files outside the intended directory. The response should include the contents of the requested file, demonstrating successful exploitation.

Remediation

Users can upgrade to Tautulli version 2.16.0 or later, where this vulnerability has been patched.