Outline Path Traversal Vulnerability Leading to Arbitrary File Read

A path traversal vulnerability allowing arbitrary file read has been identified in Outline versions prior to 1.4.0. During the JSON import process, the application improperly validates the 'attachments[].key' values from the imported JSON. This oversight allows attackers to embed path traversal sequences or absolute paths, enabling them to read arbitrary files on the server. The vulnerability arises because the unvalidated keys are used to construct file paths, which are then read without any security checks. Exploitation of this vulnerability could lead to the disclosure of sensitive information, such as environment files, application configuration files, private keys, and database connection credentials.

Impact

Exploitation of this vulnerability could result in the unauthorized disclosure of sensitive information from arbitrary files on the server, including environment files, application configuration files, private keys, and database connection credentials.

Reproduction

To reproduce this vulnerability, an attacker must have administrator privileges and the ability to use the JSON import feature. The process involves creating a ZIP archive with a crafted JSON file that includes malicious path traversal sequences in the 'attachments[].key' field. This ZIP file is then uploaded during the import process, triggering the vulnerability by allowing the application to read the specified arbitrary files on the server.

Remediation

Users are advised to update to Outline version 1.4.0 or later, where this vulnerability has been fixed.