Zurich Instruments LabOne Web Server Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in the LabOne Web Server, which supports the LabOne User Interface. This vulnerability arises from inadequate input validation in the file access feature, enabling an unauthenticated attacker to read arbitrary files on the host system that are accessible to the user under which the LabOne software is running. The issue is present in all LabOne versions prior to 26.01.3.9. Additionally, the Web Server's insufficient cross-origin request restrictions could allow a remote attacker to exploit this vulnerability through a victim's browser by directing them to a malicious website. However, this exploitation method is only possible when the LabOne Web Server is active, as installations using only the LabOne APIs without the Web Server running are not vulnerable.

Impact

Exploitation of this vulnerability could lead to unauthorized access and reading of sensitive files on the host system.

Remediation

Users are advised to update to LabOne version 26.01.3.9 or later. This update can be applied directly through the LabOne software or downloaded from the Zurich Instruments Download Center. For those who cannot upgrade immediately, it is recommended to limit access to the LabOne Web Server to localhost only, operate within a trusted laboratory network, and avoid storing sensitive data on the LabOne host.