Gramps Web API Path Traversal Vulnerability in Media Archive Import

A path traversal vulnerability, known as Zip Slip, has been identified in the Gramps Web API, specifically in versions 1.6.0 through 3.11.0. This vulnerability exists within the media archive import feature, where an authenticated user with owner-level privileges can upload a malicious ZIP file. The crafted ZIP file can contain directory-traversal filenames that allow the extraction of files to arbitrary locations on the server's local filesystem, outside the designated temporary extraction directory. This issue arises because the media importer does not properly validate ZIP entry names before extraction, enabling exploitation through the Python 'zipfile' module.

Impact

Exploitation of this vulnerability allows for arbitrary file writes outside the intended temporary directory, potentially overwriting critical files or databases, depending on the deployment configuration.

Remediation

Users can upgrade to Gramps Web API version 3.11.1 or later, where this vulnerability has been patched. Instructions for downloading the latest version are available on the project's GitHub releases page.