version:v1.5.0,v1.6.0
The file upload interface /api/public/upload is not authenticated, so no authenticated users can upload files.
When generating the file name, the risk of directory traversal was not considered, so the randomly generated sequence and ../../../12.jar were spliced together and returned as the file name, resulting in directory traversal.
Here it is determined whether the suffix is in the whitelist, but no further processing is done, and the execution proceeds directly, resulting in the ability to upload any type of file.
This vulnerability can upload arbitrary files and overwrite the original files. You can overwrite scheduled task files in the system to achieve rebound shell, upload ssh key, overwrite passwd, shadow and other arbitrary files. There are significant security risks.
version:v1.5.0,v1.6.0 The file upload interface /api/public/upload is not authenticated, so no authenticated users can upload files.
When generating the file name, the risk of directory traversal was not considered, so the randomly generated sequence and ../../../12.jar were spliced together and returned as the file name, resulting in directory traversal.
Here it is determined whether the suffix is in the whitelist, but no further processing is done, and the execution proceeds directly, resulting in the ability to upload any type of file.
This vulnerability can upload arbitrary files and overwrite the original files. You can overwrite scheduled task files in the system to achieve rebound shell, upload ssh key, overwrite passwd, shadow and other arbitrary files. There are significant security risks.
