Feiyuchuixue Sz-Boot-Parent Path Traversal Vulnerability in API Template Download
Vulnerability
A path traversal vulnerability has been identified in the Feiyuchuixue Sz-Boot-Parent project, affecting versions up to 1.3.2-beta. The issue arises in the API component, specifically within the template download endpoint. The vulnerability allows remote attackers to manipulate the 'templateName' parameter, potentially leading to unauthorized access and reading of arbitrary files on the server.
Impact
Exploitation of this vulnerability allows for arbitrary file reading on the server, which could lead to exposure of sensitive information or application data.
Reproduction
To reproduce this vulnerability, send a request to the '/api/admin/common/download/templates' endpoint with a crafted 'templateName' parameter that includes directory traversal sequences, such as '../', to navigate out of the intended directory and access sensitive files like 'application.yml'.
Remediation
Upgrade to version 1.3.3-beta, which includes path validation checks for the template download interface. The patched version is available on the Feiyuchuixue Sz-Boot-Parent GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.