Steipete Summarize Path Traversal Vulnerability in Daemon Endpoint

A path traversal vulnerability has been identified in the Steipete Summarize application, specifically in versions prior to 0.15.1. The issue resides within the '/v1/summarize' daemon endpoint, where authenticated users can manipulate the 'slidesDir' request parameter to write files to arbitrary directories. By providing an absolute path or a directory traversal sequence, attackers can exploit this vulnerability to save 'slide_*.png' and 'slides.json' files in any writable location. Furthermore, the vulnerability allows for the deletion of these files through repeated extractions.

Impact

Exploitation of this vulnerability could lead to unauthorized file writing and deletion, potentially disrupting normal application operations or causing data loss.

Reproduction

To reproduce this vulnerability, send a request to the '/v1/summarize' daemon endpoint with the 'slidesDir' parameter set to an absolute path or a directory traversal sequence. This will result in the 'slide_*.png' and 'slides.json' files being written to the specified location. The vulnerability can be further exploited by repeating the extraction process to delete the matching files.

Remediation

Users are advised to update to Steipete Summarize version 0.15.2 or later, where this vulnerability has been fixed.