GHSA-WF69-R4MX-43RR
Vulnerability from github – Published: 2026-06-22 19:54 – Updated: 2026-06-22 19:54
VLAI
Summary
AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration
Details
Vulnerability Details
CWE: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
The official docker-compose.yml (line 61) mounts the entire project root directory as the Apache document root:
volumes:
- "./:/var/www/html/AVideo"
This causes the .env file — which contains database credentials, admin passwords, and infrastructure configuration — to be served as a static file at /.env. No .htaccess rule or Apache configuration blocks access to dotfiles.
Exposed Information
An unauthenticated request to GET /.env returns:
DB_MYSQL_HOST=database
DB_MYSQL_USER=avideo
DB_MYSQL_PASSWORD=avideo
SYSTEM_ADMIN_PASSWORD=admin123
TLS_CERTIFICATE_FILE=/etc/apache2/ssl/localhost.crt
TLS_CERTIFICATE_KEY=/etc/apache2/ssl/localhost.key
NETWORK_SUBNET=172.30.0.0/16
Steps to Reproduce
Prerequisites
- AVideo deployed using the official
docker-compose.yml - No modifications to the default configuration
Steps
- Deploy AVideo using
docker compose up -d - Send:
curl http://target/.env - The full
.envfile contents are returned, including database credentials and admin password
Impact
- Attacker: Unauthenticated (any remote user)
- Victim: AVideo server and database
- Specific damage: Attacker obtains database credentials (
DB_MYSQL_USER,DB_MYSQL_PASSWORD), admin password (SYSTEM_ADMIN_PASSWORD), and internal network topology (NETWORK_SUBNET). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network.
Proposed Fix
Add a .htaccess rule to block access to dotfiles:
# Block access to hidden files (.env, .git, etc.)
<FilesMatch "^\.">
Order Allow,Deny
Deny from all
</FilesMatch>
Or configure Apache to deny dotfile access in the virtual host configuration.
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33692"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T19:54:15Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Vulnerability Details\n\n**CWE**: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory\n\nThe official `docker-compose.yml` (line 61) mounts the entire project root directory as the Apache document root:\n\n```yaml\nvolumes:\n - \"./:/var/www/html/AVideo\"\n```\n\nThis causes the `.env` file \u2014 which contains database credentials, admin passwords, and infrastructure configuration \u2014 to be served as a static file at `/.env`. No `.htaccess` rule or Apache configuration blocks access to dotfiles.\n\n### Exposed Information\n\nAn unauthenticated request to `GET /.env` returns:\n\n```\nDB_MYSQL_HOST=database\nDB_MYSQL_USER=avideo\nDB_MYSQL_PASSWORD=avideo\nSYSTEM_ADMIN_PASSWORD=admin123\nTLS_CERTIFICATE_FILE=/etc/apache2/ssl/localhost.crt\nTLS_CERTIFICATE_KEY=/etc/apache2/ssl/localhost.key\nNETWORK_SUBNET=172.30.0.0/16\n```\n\n## Steps to Reproduce\n\n### Prerequisites\n- AVideo deployed using the official `docker-compose.yml`\n- No modifications to the default configuration\n\n### Steps\n1. Deploy AVideo using `docker compose up -d`\n2. Send: `curl http://target/.env`\n3. The full `.env` file contents are returned, including database credentials and admin password\n\n## Impact\n\n- **Attacker**: Unauthenticated (any remote user)\n- **Victim**: AVideo server and database\n- **Specific damage**: Attacker obtains database credentials (`DB_MYSQL_USER`, `DB_MYSQL_PASSWORD`), admin password (`SYSTEM_ADMIN_PASSWORD`), and internal network topology (`NETWORK_SUBNET`). This enables direct database access, admin panel takeover, and further lateral movement within the Docker network.\n\n## Proposed Fix\n\nAdd a `.htaccess` rule to block access to dotfiles:\n\n```apache\n# Block access to hidden files (.env, .git, etc.)\n\u003cFilesMatch \"^\\.\"\u003e\n Order Allow,Deny\n Deny from all\n\u003c/FilesMatch\u003e\n```\n\nOr configure Apache to deny dotfile access in the virtual host configuration.",
"id": "GHSA-wf69-r4mx-43rr",
"modified": "2026-06-22T19:54:15Z",
"published": "2026-06-22T19:54:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wf69-r4mx-43rr"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/7f418de1a95ab87bb8c8c3eb3702d71c351e098d"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…