Kimai Arbitrary File Read Vulnerability in PDF Invoice Renderer for System Admins

A vulnerability allowing arbitrary file read has been identified in Kimai, an open-source time tracking application. This issue affects versions 2.32.0 prior to 2.56.0. The vulnerability arises when users with the System-Admin role and the permission to upload invoice templates can manipulate PDF files to access and embed any readable file from the PHP worker into the PDF invoice. The problem is rooted in the PDF rendering process, where uploaded templates can specify associated files that are then read and included in the PDF output.

Impact

Exploitation of this vulnerability allows an attacker to read arbitrary files on the server, provided they are accessible by the PHP worker. The contents of these files are then embedded in the PDF invoice, potentially leading to the disclosure of sensitive information.

Remediation

Users can upgrade to Kimai version 2.56.0, where this vulnerability has been patched. Instructions for downloading the latest version are available on the Kimai GitHub releases page.