OliveTin Arbitrary File Write Vulnerability via Directory Traversal
Vulnerability
A vulnerability in OliveTin prior to version 3000.11.2 allows for arbitrary file writing through directory traversal. When the saveLogs feature is enabled, OliveTin logs execution entries to disk using a filename derived from the user-supplied UniqueTrackingId in the StartAction API request. This ID is not validated before being used in the file path, enabling attackers to manipulate the path and write files to unintended locations on the filesystem. OliveTin often runs as root in Docker containers, potentially giving attackers access to the entire filesystem.
Impact
Exploitation of this vulnerability allows for arbitrary file writes to any path writable by the OliveTin process. This could lead to overwriting critical files, injecting malicious data, or even executing unauthorized commands, especially since OliveTin frequently operates as root inside Docker containers.
Reproduction
To reproduce this vulnerability, send a StartAction request with a UniqueTrackingId that includes directory traversal sequences, such as '../../../'. The constructed filename will traverse out of the intended log directory, allowing files to be written to arbitrary locations on the filesystem.
Remediation
Users should update to OliveTin version 3000.11.2 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.