Headline
CVE-2023-2268: Plane v0.7.1 - Unauthorized access to files | Advisories | Fluid Attacks
Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users.
- Giardino
Summary
Name
Plane v0.7.1 - Insecure file upload
Code name
Giardino
Product
Plane
Affected versions
0.7.1
State
Public
Release Date
2023-07-14
Vulnerability
Kind
Insecure file upload
Rule
027. Unauthorized access to files
Remote
Yes
CVSSv3 Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSSv3 Base Score
7.5
Exploit available
Yes
CVE ID(s)
CVE-2023-2268
Description
Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users.
Vulnerability
In the application users can change the photo of their avatar and upload different types of files of different extensions which are all stored in the same folder and there is no restriction. Any unauthenticated person can access and download the resources. Knowing that Plane is created to create issues on projects and manage them, this is critical, because if bugs are reported on an application, an attacker can obtain the evidence and files of the same issue.
Exploit
Evidence of exploitation
By accessing the /uploads/ directory you can see all the files stored on the server.
Our security policy
We have reserved the CVE-2023-2268 to refer to this issue from now on.
- https://fluidattacks.com/advisories/policy/
System Information
Version: Plane 0.7.1
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Lautaro Casanova from Fluid Attacks’ Offensive Team.
References
Vendor page https://github.com/makeplane/plane
Timeline
2023-06-19
Vulnerability discovered.
2023-06-20
Vendor contacted.
2023-06-23
Vendor Confirmed the vulnerability.
2023-07-14
Public Disclosure.