Listen to this Post
How the CVE Works:
The vulnerability in `io.jmix.localfs:jmix-localfs` allows attackers to perform path traversal attacks by manipulating the `FileRef` parameter. This parameter controls file access in Jmix’s local file storage system. Attackers can exploit this in two ways:
1. Direct Database Manipulation: Modifying the `FileRef` value in the database to reference unauthorized system files.
2. REST API Exploitation: Sending a malicious `fileRef` parameter to the `/files` endpoint in Jmix’s generic REST API.
If successful, this allows arbitrary file reads on the host system where Jmix runs. The impact is limited because:
– The REST API `/files` endpoint is disabled by default and requires authentication.
– Only users with specific permissions can access the affected functionality.
DailyCVE Form:
Platform: Jmix LocalFS
Version: 1.0.0 – 1.6.1, 2.0.0 – 2.3.9
Vulnerability: Path Traversal
Severity: Moderate
Date: 2025-04-22
What Undercode Say:
Exploitation:
1. Craft Malicious `FileRef`:
GET /files?fileRef=../../../../etc/passwd HTTP/1.1 Host: vulnerable-jmix-app.com
2. Database Injection:
UPDATE FILE_STORAGE SET FILE_REF = '../../../secrets.txt' WHERE ID = 'target-file';
Protection:
1. Patch Immediately:
<dependency> <groupId>io.jmix.localfs</groupId> <artifactId>jmix-localfs</artifactId> <version>2.4.0</version> <!-- Patched --> </dependency>
2. Input Validation:
if (fileRef.contains("..")) {
throw new SecurityException("Path traversal detected");
}
3. Disable Unused Endpoints:
jmix: rest: files: enabled: false
Detection:
- Log Monitoring:
grep "../" /var/log/jmix/access.log
- WAF Rules:
location /files { if ($args ~ "..") { return 403; } }
Mitigation:
- Restrict filesystem permissions for the Jmix process.
- Audit database entries for malicious `FileRef` values.
- Use `realpath()` to resolve canonical paths before file access.
No additional commentary.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
