GHSA-FV2P-QJ5P-WQQ4

Vulnerability from github – Published: 2025-07-03 14:18 – Updated: 2025-07-03 14:18
VLAI
Summary
LF Edge eKuiper vulnerable to File Path Traversal leading to file replacement
Details

Summary

Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. In this case, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

Details

The file handler function trusts the filename provided by the user. This includes the cases when the user uses a path instead of the filename. This makes possible to write arbitrary files to the system and replace the files owned by kuiper user on the filesystem. The vulnerable function is fileUploadHandler which is shown below:

https://github.com/lf-edge/ekuiper/blob/1e6b6b6601445eb05316532f5fbef7f0a863ecfe/internal/server/rest.go#L329-L359

Exploitation of this vulnerability allows an attacker to rewrite the files owned by ekuiper including the main kuiper binaries as they are owned by kuiper user:

kuiper binaries

PoC

  1. The files should be uploaded to /kuiper/data/uploads directory. So let's move to the /kuiper/data, examine the existing files and create an empty traversal-poc file owned by kuiper:

Preparation

  1. Now, we can go to Services > Configuration > File Management and try to upload file with name ../test:

GUI

Request in Burp

In the response we can see the path of the uploaded file and can assume that the traversal worked.

  1. Now we can try to change the traversal-poc file that we know exists on the server. It can be made with the following request:

traversal-poc change

  1. Now, if we look at the server, we can see the file created in the traversed directory and the replaced poc-file:

Changed files

Impact

  • Possibility to upload files to external directories;
  • Possibility to rewrite any file owned by kuiper user on the filesystem.

Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/ekuiper/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/ekuiper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.14.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-03T14:18:04Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nPath traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. In this case, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.\n\n### Details\nThe file handler function trusts the filename provided by the user. This includes the cases when the user uses a path instead of the filename. This makes possible to write arbitrary files to the system and **replace** the files owned by _kuiper_ user on the filesystem. The vulnerable function is `fileUploadHandler` which is shown below:\n\nhttps://github.com/lf-edge/ekuiper/blob/1e6b6b6601445eb05316532f5fbef7f0a863ecfe/internal/server/rest.go#L329-L359\n\nExploitation of this vulnerability allows an attacker to rewrite the files owned by ekuiper including the main kuiper binaries as they are owned by _kuiper_ user:\n\n![kuiper binaries](https://github.com/user-attachments/assets/58cf0dc9-20aa-4976-b199-d052a8f5a676)\n\n\n### PoC\n0.  The files should be uploaded to `/kuiper/data/uploads` directory. So let\u0027s move to the `/kuiper/data`, examine the existing files and create an empty `traversal-poc` file owned by  _kuiper_:\n\n![Preparation](https://github.com/user-attachments/assets/c1010cfe-ca3e-481d-b895-820a96f2af60)\n\n1. Now, we can go to _Services \u003e Configuration \u003e File Management_ and try to upload file with name `../test`:\n\n![GUI](https://github.com/user-attachments/assets/31402874-d8a1-450b-91d6-025533c7be33)\n\n![Request in Burp](https://github.com/user-attachments/assets/a4b01f57-5ce0-4791-8a6e-69eb47bca40b)\n\nIn the response we can see the path of the uploaded file and can assume that the traversal worked.\n\n2. Now we can try to change the `traversal-poc` file that we know exists on the server. It can be made with the following request:\n\n![traversal-poc change](https://github.com/user-attachments/assets/164a7088-9152-4a6d-bef4-de8b4637ed51)\n\n3. Now, if we look at the server, we can see the file created in the traversed directory and the replaced poc-file:\n\n![Changed files](https://github.com/user-attachments/assets/1be0bb36-66b7-4552-9b5d-6298c15d59bb)\n\n### Impact\n- Possibility to upload files to external directories;\n- Possibility to rewrite any file owned by _kuiper_ user on the filesystem.\n\nReported by Alexey Kosmachev, Lead Pentester from Bi.Zone",
  "id": "GHSA-fv2p-qj5p-wqq4",
  "modified": "2025-07-03T14:18:04Z",
  "published": "2025-07-03T14:18:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-fv2p-qj5p-wqq4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lf-edge/ekuiper"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/blob/1e6b6b6601445eb05316532f5fbef7f0a863ecfe/internal/server/rest.go#L329-L359"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LF Edge eKuiper vulnerable to File Path Traversal leading to file replacement"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…