Blinko Path Traversal Vulnerability in Music Metadata Endpoint Allowing File Enumeration
Vulnerability
A path traversal vulnerability has been identified in Blinko versions prior to 1.8.4. The issue arises in the music metadata endpoint, where the filePath parameter does not properly validate input, allowing attackers to traverse directories and enumerate files on the server. This vulnerability can be exploited by sending crafted file paths that include traversal sequences, which the server may process without adequate checks, leading to unauthorized file access.
Impact
Exploitation of this vulnerability allows for unauthorized enumeration of file existence on the server, potentially leading to the discovery of sensitive files such as configuration documents.
Reproduction
To reproduce this vulnerability, send a request to the '/api/v1/public/music-metadata' endpoint with a filePath parameter that includes path traversal sequences. The server will respond with different error messages based on the existence of the files, allowing for enumeration of file paths.
Remediation
Users can upgrade to Blinko version 1.8.4 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.