Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cockpit CMS Path Traversal via Bucket Name in Bucket File Storage API
Vulnerability Description
Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php sanitizes the bucket name with preg_replace('/[^a-zA-Z0-9-_\\.]/','', $bucket), which permits '..' and '../' sequences. The sanitized value is interpolated into a Flysystem path as uploads://buckets/{bucket}. Flysystem's WhitespacePathNormalizer resolves 'buckets/..' to the empty string (the uploads storage root) without raising PathTraversalDetected because the '..' has a preceding component to consume. An authenticated low-privileged user can send a crafted request with a '../' bucket name to list, upload, and delete files across all buckets, including those belonging to other users or roles
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Cockpit CMS 路径遍历漏洞
Vulnerability Description
Cockpit Cockpit CMS是Cockpit组织的内容管理系统。 Cockpit CMS 2.14.0之前版本存在路径遍历漏洞,该漏洞源于Bucket文件存储API中存在路径遍历漏洞,涉及使用preg_replace函数对bucket名称进行清理时允许'..'和'../'序列,可能导致已验证的低权限用户通过发送特制请求列出、上传和删除所有存储桶中的文件。
CVSS Information
N/A
Vulnerability Type
N/A