Lumiverse SMB Basename Injection Vulnerability Leading to Arbitrary Command Execution

A vulnerability in Lumiverse, an AI chat application, allows for arbitrary command execution on the server. This issue exists in versions prior to 0.9.7. The vulnerability arises in the SMBFileSystem.exists() method, which improperly validates the basename of file paths. When the primary path validation fails, the method splits the path into directory and basename components. The basename, lacking proper validation, is directly appended to the smbclient command. Since smbclient treats certain characters as command separators or execution triggers, a crafted path can execute arbitrary commands on the Lumiverse server.

Impact

Exploitation of this vulnerability allows authenticated users with Owner or Admin roles to execute arbitrary commands on the Lumiverse server as the server process user.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/v1/st-migration/test-connection' endpoint with a path that includes unvalidated shell metacharacters, such as ';' or '!'. The injected command will be executed on the host.

Remediation

Users are advised to update Lumiverse to version 0.9.7 or later, where this vulnerability has been fixed.