GHSL-2024-072_GHSL-2024-074: Stored Cross-Site Scripting (XSS), Arbitrary File Upload, and Arbitrary File Read/Write via Path Traversal in Reposilite - CVE-2024-36115, CVE-2024-36116, CVE-2024-36117

Coordinated Disclosure Timeline

• 2024-04-30: Reported via GitHub
• 2024-05-03: The issue is fixed in version 3.5.12

Summary

Reposilite is affected by multiple high severity vulnerabilities, including Stored Cross-Site Scripting (XSS), Arbitrary File Upload, and Arbitrary File Read/Write via Path Traversal. The first Cross-Site Scripting vulnerability in artifact’s content allows unauthenticated users to steal the victim’s password from the browser’s local storage. The Arbitrary File Upload and Arbitrary File Read vulnerabilities are there because of improper handling of Javadoc archives. By exploiting a path traversal in archives file names, an attacker is able to upload arbitrary files to any directory on the server. This is particularly dangerous when Reposilite is mirroring third party repositories, like the Maven Central Repository.

Project

Reposilite

Tested Version

v3.5.10

Details

Issue 1: Stored XSS in artifacts (GHSL-2024-072)

As a Maven repository manager, Reposilite provides the ability to view the artifacts content in the browser, as well as perform administrative tasks via API. The problem lies in the fact that the artifact’s content is served via the same origin (protocol/host/port) as the Admin UI. If the artifact contains HTML content with javascript inside, the javascript is executed within the same origin. Therefore, if an authenticated user is viewing the artifacts content, the javascript inside can access the browser’s local storage where the user’s password (aka “token-secret”) is stored. It is especially dangerous in scenarios where Reposilite is configured to mirror third party repositories, like the Maven Central Repository. Since anyone can publish an artifact to Maven Central under its own name, such malicious packages can be used to attack the Reposilite instance.

Steps to reproduce:

To demonstrate this vulnerability, we can start Reposilite with default settings at localhost:8080 and configure its “release” repository to mirror https://artsploit.com/maven. This is my own website intended to emulate http://repo1.maven.org/, but it also contains a proof-of-concept payload for this vulnerability. Technically I could publish this payload to Maven Central Repository, but I don’t want to clutter it.

Then, as an administrator or authenticated Reposilite user, navigate to http://localhost:8080/releases/com/artsploit/reposilite-xss/1.0/reposilite-xss-1.0.pom in the browser. This file contains the basic application/xml payload:

<?xml version="1.0" encoding="UTF-8"?>
<a:script xmlns:a="http://www.w3.org/1999/xhtml">
    alert(`Secret key: ${localStorage.getItem('token-secret')}`)
</a:script>

The script will be executed within the http://localhost:8080/ origin and the leaked token is displayed.

Impact

This issue may lead to the full Reposilite instance compromise. If this attack is performed against the admin user, it’s possible to use the admin API to modify settings and artifacts on the instance. In the worst case scenario, an attacker would be able to obtain the Remote code execution on all systems that use artifacts from Reposilite.

It’s important to note that the attacker does not need to lure a victim user to use a malicious artifact, but just open a link in the browser. This link can be silently loaded among the other HTML content, making this attack unnoticeable.

Even if the Reposilite instance is located in an isolated environment, such as behind a VPN or in the local network, this attack is still possible as it can be performed from the admin browser.

Issue 2: Path traversal in javadoc file expansion (arbitrary file creation/overwrite) (GHSL-2024-073)

Reposilite provides support for JavaDocs files, which are archives that contain documentation for artifacts. Specifically, JavadocEndpoints.kt controller allows to expand the javadoc archive into the server’s file system and return its content. The problem is in the way how the archives are expanded, specifically how the new filename is created:

JavadocContainerService.kt#L127-L136

jarFile.entries().asSequence().forEach { file ->
    if (file.isDirectory) {
        return@forEach
    }

     val path = Paths.get(javadocUnpackPath.toString() + "/" + file.name)

    path.parent?.also { parent -> Files.createDirectories(parent) }
    jarFile.getInputStream(file).copyToAndClose(path.outputStream())
}.asSuccess<Unit, ErrorResponse>()

The file.name taken from the archive can contain path traversal characters, such as ‘/../../../anythig.txt’, so the resulting extraction path can be outside the target directory.

Impact

If the archive is taken from an untrusted source, such as Maven Central or JitPack for example, an attacker can craft a special archive to overwrite any local file on Reposilite instance. This could lead to remote code execution, for example by placing a new plugin into the ‘$workspace$/plugins’ directory. Alternatively, an attacker can overwrite the content of any other package.

Note that the attacker can use its own malicious package from Maven Central to overwrite any other package on Reposilite.

Steps to reproduce

1. Create a malicious javadoc archive that contains filenames with path traversal characters:

   zip test-1.0-javadoc.jar ../../../../../../../../tmp/evil.txt index.html
   

   Make sure that ../../../../../../../../tmp/evil.txt and index.html files exist on the system where you create this archive.

2. Publish this archive to the repository which Reposilite is mirroring, such as Maven Central or JitPack. For the test purposes, I used my own server that imitates the upstream maven repository: http://artsploit.com/maven/com/artsploit/reposilite-zipslip/1.0/reposilite-zipslip-1.0-javadoc.jar

3. Start Reposilite with ‘releases’ repository mirroring to ‘http://artsploit.com/maven/’

4. Now, if the attacker send the request to http://localhost:8080/javadoc/releases/com/artsploit/reposilite-zipslip/1.0, the aforementioned archive will be obtained from the http://artsploit.com/maven/com/artsploit/reposilite-zipslip/1.0/reposilite-zipslip-1.0-javadoc.jar address and its ‘evil.txt’ file will be expanded to ‘$workspace$/tmp/evil.txt’. Note that to perform this action, an attacker does not need to provide any credentials, as fetching from the mirrored repository does not require authentication.

5. Confirm that ‘$workspace$/tmp/evil.txt’ is created on the server where Reposilite is running.

Issue 3: Path traversal while serving javadoc expanded files (arbitrary file read) (GHSL-2024-074)

Another problem lies in the way how the expanded javadoc files are served. The GET /javadoc/{repository}/<gav>/raw/<resource> route uses the <resource> path parameter to find the file in the javadocUnpackPath directory and returns it’s content to the user.

JavadocFacade.kt#L77:

fun findRawJavadocResource(request: JavadocRawRequest): Result<JavadocRawResponse, ErrorResponse> =
   with (request) {
       mavenFacade.canAccessResource(accessToken, repository, gav)
           .flatMap { javadocContainerService.loadContainer(accessToken, repository, gav) }
           .filter({ Files.exists(it.javadocUnpackPath.resolve(resource.toString())) }, { notFound("Resource $resource not found") })
           .map {
               JavadocRawResponse(
                   contentType = supportedExtensions[resource.getExtension()] ?: ContentType.APPLICATION_OCTET_STREAM,
                   content = Files.newInputStream(it.javadocUnpackPath.resolve(resource.toString()))
               )
           }
   }

In this case, the <resource> path parameter can contain path traversal characters such as /../../. Since the path is concatenated with the main directory, it opens the possibility to read files outside the javadocUnpackPath directory.

Impact

This issue may lead to Arbitrary File Read on the server. A potential attacker can read some sensitive file, such as reposilite.db, that contains the sqlite database used by Reposilite. This database contains the sensitive information used by Reposilite, including passwords and hashes of issued tokens. Also, the configuration.cdn file can be read, which contains other sensitive properties.

Steps to reproduce

1. Start the Reposilite instance on http://localhost:8080/
2. Find at least one javadoc file in the hosted repositories. For example, the default test workspace contains the /releases/javadoc/1.0.0/javadoc-1.0.0-javadoc.jar archive that is suitable for our attack.
3. Send a GET request to http://127.0.0.1:8080/javadoc/releases/javadoc/1.0.0/raw/%2e%2e%5c%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2freposilite.db When this request is processed on the server, Reposilite tries to unpack the /repositories/releases/javadoc/1.0.0/javadoc-1.0.0-javadoc.jar file into the /javadocs/releases/javadoc/1.0.0/.cache/unpack folder. Then, it tries to read the ../../../../../../reposilite.db file from this folder, which triggers the path traversal attack.

CVE

• CVE-2024-36115
• CVE-2024-36116
• CVE-2024-36117

Credit

These issues were discovered and reported by GHSL team member @artsploit (Michael Stepankin).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-072, GHSL-2024-073, or GHSL-2024-074 in any communication regarding these issues.