jishenghua jshERP Path Traversal Vulnerability in DefaultPluginOperator Component

A path traversal vulnerability has been identified in jishenghua jshERP versions through 3.6. The issue arises in the DefaultPluginOperator component, specifically within the installByPath function. The vulnerability allows for directory traversal by manipulating the 'path' argument, which is then passed to the 'java.nio.file.Files#exists' function without proper validation. This oversight could lead to unauthorized information disclosure regarding the existence or type of files on the server. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability could result in unauthorized information disclosure, allowing an attacker to determine the existence and type of files on the server.

Reproduction

To reproduce this vulnerability, send a POST request to '/jshERP-boot/plugin/installByPath' with a crafted 'path' parameter that includes directory traversal sequences, such as '..'. The request must include a valid access token in the headers.