Ciguard Directory Traversal Vulnerability via Symlink Following

A directory traversal vulnerability has been identified in Ciguard versions 0.8.0 to 0.8.1. The issue arises in the 'discover_pipeline_files()' function, which traverses directory trees by following symlinks. While the function includes cycle protection by tracking visited paths, an attacker can exploit this behavior. By placing a symlink in a directory that the user or AI agent scans, the discovery process can be manipulated to access files outside the intended directory, potentially exposing sensitive information such as hardcoded secrets or internal configuration details.

Impact

Exploitation of this vulnerability allows for unauthorized access to files outside the scanned directory, including sensitive pipeline-related information. This could lead to the exposure of hardcoded secrets, internal hostnames, or deployment keys.

Reproduction

To reproduce this vulnerability, plant a symlink in a directory that will be scanned by Ciguard's 'discover_pipeline_files()' function. The symlink should point to a location containing pipeline-shaped files, such as a directory with AWS configuration files. When the 'discover_pipeline_files()' function is called, it will follow the symlink and return paths to the targeted files, including their contents, thereby demonstrating the directory traversal vulnerability.

Remediation

Users can update to Ciguard version 0.8.2 or later, where this vulnerability has been fixed. Instructions for downloading the latest version are available on the Ciguard GitHub repository.