Tautulli Unauthenticated Path Traversal Vulnerability in Newsletter API Endpoint

A path traversal vulnerability has been identified in the Tautulli application, specifically in versions through 2.16.1. The issue resides within the '/newsletter/image/images' API endpoint, where unauthenticated attackers can exploit the vulnerability to read arbitrary files from the server's filesystem. This flaw has been addressed in Tautulli version 2.17.0.

Impact

Exploitation of this vulnerability allows for unauthorized file access on the server, including sensitive files such as the 'tautulli.db' SQLite database and the 'config.ini' file. The 'tautulli.db' database contains active JWT tokens, while the 'config.ini' file holds the hashed admin password, JWT token secret, and Plex Media Server connection details. If the admin password is successfully cracked or a valid JWT token is available, an attacker can gain administrative control over the Tautulli application.

Reproduction

The vulnerability can be reproduced by sending a request to the '/newsletter/image/images' endpoint with a crafted file path that includes directory traversal sequences. This can be done using tools like 'wget' to download files such as 'config/config.ini' or 'config/tautulli.db' from the Tautulli server.

Remediation

Users are advised to update Tautulli to version 2.17.0 or later, where this vulnerability has been patched.