xiaoheiFS Remote Code Execution Vulnerability via Unrestricted Plugin Installation
Vulnerability
A remote code execution vulnerability exists in xiaoheiFS versions through 0.3.15. The issue arises from a standard plugin system that allows admins to upload ZIP files containing binaries and a manifest.json file. The server automatically trusts the binaries field in the manifest and executes the specified files without any validation, leading to remote code execution. This vulnerability has been patched in version 0.4.0.
Impact
Exploitation of this vulnerability allows for remote code execution on the server where xiaoheiFS is hosted.
Reproduction
To reproduce this vulnerability, upload a ZIP file containing a malicious binary and a manifest.json file through the admin plugin installation endpoint. The manifest must include the binary's path in a way that the server will execute it. After uploading, enable the plugin to trigger the execution of the malicious binary.
Remediation
Users can update to xiaoheiFS version 0.4.0 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.