CVE-2024-56331 Information

Description

Uptime Kuma is an open source self-hosted monitoring tool. An Improper URL Handling Vulnerability allows an attacker to access sensitive local files on the server by exploiting the file:/// protocol. This vulnerability is triggered via the eal-browser\ request type which takes a screenshot of the URL provided by the attacker. By supplying local file paths such as file:///etc/passwd an attacker can read sensitive data from the server. This vulnerability arises because the system does not properly validate or sanitize the user input for the URL field. Specifically: 1. The URL input (<input data-v-5f5c86d7=\ id=rl\ type=rl\ class=orm-control\ pattern=\https?://.+\ required=\>) allows users to input arbitrary file paths including those using the file:/// protocol without server-side validation. 2. The server then uses the user-provided URL to make a request passing it to a browser instance that performs the eal-browser\ request which takes a screenshot of the content at the given URL. If a local file path is entered (e.g. file:///etc/passwd) the browser fetches and captures the file’s content. Since the user input is not validated an attacker can manipulate the URL to request local files (e.g. file:///etc/passwd) and the system will capture a screenshot of the file’s content potentially exposing sensitive data. Any authenticated user who can submit a URL in eal-browser\ mode is at risk of exposing sensitive data through screenshots of these files. This issue has been addressed in version 1.23.16 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Reference

https://github.com/louislam/uptime-kuma/commit/6cfae01a0d3727c517afe512fc8fec1d99acf875 https://github.com/louislam/uptime-kuma/security/advisories/GHSA-2qgm-m29m-cj2h Uptime Kuma is an open source self-hosted monitoring tool. An Improper URL Handling Vulnerability allows an attacker to access sensitive local files on the server by exploiting the file:/// protocol. This vulnerability is triggered via the ** eal-browser** request type which takes a screenshot of the URL provided by the attacker. By supplying local file paths such as file:///etc/passwd an attacker can read sensitive data from the server. This vulnerability arises because the system does not properly validate or sanitize the user input for the URL field. Specifically: 1. The URL input (<input data-v-5f5c86d7=\ id=rl\ type=rl\ class=orm-control\ pattern=\[***https?://.+\***](https?://.+\) required=\>) allows users to input arbitrary file paths including those using the file:/// protocol without server-side validation. 2. The server then uses the user-provided URL to make a request passing it to a browser instance that performs the eal-browser
request which takes a screenshot of the content at the given URL. If a local file path is entered (e.g. file:///etc/passwd) the browser fetches and captures the file’s content. Since the user input is not validated an attacker can manipulate the URL to request local files (e.g. file:///etc/passwd) and the system will capture a screenshot of the file’s content potentially exposing sensitive data. Any authenticated user who can submit a URL in eal-browser
mode is at risk of exposing sensitive data through screenshots of these files. This issue has been addressed in version 1.23.16 and all users are advised to upgrade. There are no known workarounds for this vulnerability.