{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gramps-web-api/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Gramps Web API"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","zip-slip","gramps-webapi","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Gramps"],"content_html":"\u003cp\u003eA critical path traversal vulnerability, known as Zip Slip, has been identified in gramps-webapi versions 1.6.0 through 3.11.0. This flaw resides within the media archive import functionality and allows an authenticated user with owner-level privileges to upload a specially crafted ZIP file containing directory traversal sequences (../) in the filenames. Successful exploitation enables an attacker to write arbitrary files outside the designated temporary extraction directory on the server's local filesystem. The risk is highest in multi-tree deployments where tree owners are distinct from server administrators. The impact ranges from cross-tree data corruption to application config file overwrite, depending on the specific deployment configuration (SQLite+local media, Postgres+S3 media, or Postgres+S3+env-var-only config).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the gramps-webapi instance with owner-level privileges.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious ZIP archive containing files with filenames including directory traversal sequences such as \u003ccode\u003e../\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious ZIP archive via the media archive import feature.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eMediaImporter._check_disk_space_and_extract()\u003c/code\u003e function in \u003ccode\u003egramps_webapi/api/media_importer.py\u003c/code\u003e is called.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ezipfile.extractall()\u003c/code\u003e function extracts the contents of the ZIP archive without proper validation of entry names.\u003c/li\u003e\n\u003cli\u003eDue to the lack of sanitization, files are extracted to locations outside the intended temporary directory.\u003c/li\u003e\n\u003cli\u003eDepending on the server configuration, the attacker overwrites sensitive files such as database files, media files, or application configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistent code execution or data corruption within the gramps-webapi instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical consequences. In multi-tree deployments, an attacker can overwrite another tree's database or media files, causing cross-tree data corruption or replacement. In deployments using local media storage, sensitive application configuration files can be overwritten. Even in configurations using Postgres and S3 storage with environment variable-based configurations, the attacker can write to ephemeral container storage, potentially disrupting service until a worker restart. The impact is most significant in multi-tree environments where owner privileges are granted to untrusted users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided by gramps-webapi that validates ZIP entry names against the resolved real path of the temporary directory before extraction, preventing writes outside the intended directory, or upgrade to a non-vulnerable version.\u003c/li\u003e\n\u003cli\u003eFor multi-tree deployments, review and restrict owner-level privileges to trusted users only to mitigate the risk of malicious archive uploads.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the media archive import endpoint, potentially indicating attempts to upload malicious ZIP files. Create a Sigma rule to detect this activity based on unusual URI parameters (see example rule below).\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on sensitive files and directories (e.g., database files, media directories, application configuration files) to detect unauthorized modifications. Use file_event logs to alert on these changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-gramps-webapi-zip-slip/","summary":"A path traversal vulnerability (Zip Slip) exists in the gramps-webapi media archive import feature, allowing authenticated users with owner privileges to write arbitrary files outside the intended temporary extraction directory via malicious ZIP files, potentially leading to data corruption or replacement.","title":"Gramps Web API Zip Slip Vulnerability in Media Archive Import","url":"https://feed.craftedsignal.io/briefs/2024-01-gramps-webapi-zip-slip/"}],"language":"en","title":"CraftedSignal Threat Feed - Gramps Web API","version":"https://jsonfeed.org/version/1.1"}