You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
amousset
published
GHSA-h66x-c5pj-f5f8Apr 24, 2025
Package
rudder-server
(rudder)
Affected versions
< 8.1.11
>= 8.2.0, < 8.2.4
Patched versions
8.1.11
8.2.4
Description
Impact
The resource API /api/resourceExplorer is vulnerable to path traversal, allowing to write arbitrary files on the file system.
Impact is rated low as accessing the affected API requires write access to the techniques, which already gives indirect write access to the Rudder server. There is hence no real privilege escalation.
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.
Learn more on MITRE.
Impact
The resource API
/api/resourceExploreris vulnerable to path traversal, allowing to write arbitrary files on the file system.Impact is rated low as accessing the affected API requires write access to the techniques, which already gives indirect write access to the Rudder server. There is hence no real privilege escalation.
Patches
Workarounds
None.
References