GHSA-XG8V-M2MH-45M6

Vulnerability from github – Published: 2024-04-05 17:15 – Updated: 2024-04-09 18:46
VLAI?
Summary
PsiTransfer: Violation of the integrity of file distribution
Details

Summary The absence of restrictions on the endpoint, which allows you to create a path for uploading a file in a file distribution, allows an attacker to add arbitrary files to the distribution.

Details Vulnerable endpoint: POST /files

PoC 1. Create a file distribution. Снимок экрана 2024-03-17 в 21 27 30

  1. Go to the link address (id of the file distribution is needed by an attacker to upload files there). Снимок экрана 2024-03-17 в 21 27 35

  2. Send a POST /files. As the value of the Upload-Metadata header we specify the sid parameter with the id of the file distribution obtained in the second step. In the response from the server in the Location header we get the path for uploading a new file to the file distribution. Снимок экрана 2024-03-17 в 21 28 09

  3. Send a PATCH /files/{{id}} request with arbitrary content in the request body. Id is taken from the previous step. Снимок экрана 2024-03-17 в 21 28 51

Result: Снимок экрана 2024-03-17 в 21 29 05 Снимок экрана 2024-03-17 в 21 29 15

Impact The vulnerability allows an attacker to influence those users who come to the file distribution after him and slip the victim files with a malicious or phishing signature.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "psitransfer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-31453"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-05T17:15:24Z",
    "nvd_published_at": "2024-04-09T18:15:09Z",
    "severity": "MODERATE"
  },
  "details": "**Summary**\nThe absence of restrictions on the endpoint, which allows you to create a path for uploading a file in a file distribution, allows an attacker to add arbitrary files to the distribution.\n\n**Details**\nVulnerable endpoint: POST /files\n\n**PoC**\n1. Create a file distribution.\n\u003cimg width=\"1434\" alt=\"\u0421\u043d\u0438\u043c\u043e\u043a \u044d\u043a\u0440\u0430\u043d\u0430 2024-03-17 \u0432 21 27 30\" src=\"https://github.com/psi-4ward/psitransfer/assets/163760990/4634a6f7-6e7d-486e-9929-76156aaa1340\"\u003e\n\n2. Go to the link address (id of the file distribution is needed by an attacker to upload files there).\n\u003cimg width=\"1426\" alt=\"\u0421\u043d\u0438\u043c\u043e\u043a \u044d\u043a\u0440\u0430\u043d\u0430 2024-03-17 \u0432 21 27 35\" src=\"https://github.com/psi-4ward/psitransfer/assets/163760990/a57c910c-69e2-4b07-985d-b0a46c69891a\"\u003e\n\n3. Send a POST /files. As the value of the Upload-Metadata header we specify the sid parameter with the id of the file distribution obtained in the second step. In the response from the server in the Location header we get the path for uploading a new file to the file distribution.\n\u003cimg width=\"1403\" alt=\"\u0421\u043d\u0438\u043c\u043e\u043a \u044d\u043a\u0440\u0430\u043d\u0430 2024-03-17 \u0432 21 28 09\" src=\"https://github.com/psi-4ward/psitransfer/assets/163760990/8b839fb8-2c0b-432f-8503-e4c42a840056\"\u003e\n\n5. Send a PATCH /files/{{id}} request with arbitrary content in the request body. Id is taken from the previous step.\n\u003cimg width=\"1067\" alt=\"\u0421\u043d\u0438\u043c\u043e\u043a \u044d\u043a\u0440\u0430\u043d\u0430 2024-03-17 \u0432 21 28 51\" src=\"https://github.com/psi-4ward/psitransfer/assets/163760990/c5b2acf3-fdf1-4780-8c63-61a7f19338df\"\u003e\n\nResult:\n\u003cimg width=\"1432\" alt=\"\u0421\u043d\u0438\u043c\u043e\u043a \u044d\u043a\u0440\u0430\u043d\u0430 2024-03-17 \u0432 21 29 05\" src=\"https://github.com/psi-4ward/psitransfer/assets/163760990/c49b17c8-e1d2-4894-b6e2-f50b9663fca7\"\u003e\n\u003cimg width=\"1424\" alt=\"\u0421\u043d\u0438\u043c\u043e\u043a \u044d\u043a\u0440\u0430\u043d\u0430 2024-03-17 \u0432 21 29 15\" src=\"https://github.com/psi-4ward/psitransfer/assets/163760990/e4a1e07d-3e77-4f61-a4e7-ceee4a5a7b8e\"\u003e\n\n**Impact**\nThe vulnerability allows an attacker to influence those users who come to the file distribution after him and slip the victim files with a malicious or phishing signature.",
  "id": "GHSA-xg8v-m2mh-45m6",
  "modified": "2024-04-09T18:46:53Z",
  "published": "2024-04-05T17:15:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-xg8v-m2mh-45m6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31453"
    },
    {
      "type": "WEB",
      "url": "https://github.com/psi-4ward/psitransfer/commit/b9853c97e6911e1c1c5341245ca1eb363fda5269"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/psi-4ward/psitransfer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PsiTransfer: Violation of the integrity of file distribution"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.