A security flaw has been discovered in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This affects an unknown part of the file /api/admin/common/download/templates of the component API. Performing a manipulation of the argument templateName results in path traversal.
Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.3.3-beta is able to mitigate this issue.
The patch is named aefaabfd7527188bfba3c8c9eee17c316d094802. It is recommended to upgrade the affected component. The project was informed beforehand and acted very professional: "We have implemented path validity checks on parameters for the template download interface (...)"
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 7
https://github.com/feiyuchuixue/sz-boot-parent/
cna@vuldb.com
https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9e…
cna@vuldb.com
https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta
cna@vuldb.com
https://github.com/yuccun/CVE/blob/main/sz-boot-parent-Path_Traversal_to_Arbitr…
cna@vuldb.com
https://vuldb.com/?ctiid.347746
cna@vuldb.com
https://vuldb.com/?id.347746
cna@vuldb.com
https://vuldb.com/?submit.754041
cna@vuldb.com