Headline
GHSA-4wpp-w5r4-7v5v: Server-Side Request Forgery in charm
We’ve discovered a vulnerability in which attackers could forge HTTP requests to manipulate the charm data directory to access or delete anything on the server. This has been patched in https://github.com/charmbracelet/charm/commit/3c90668f955c7ce5ef721e4fc9faee7053232fd3 and is available in release v0.12.1. We recommend that all users running self-hosted charm instances update immediately.
This vulnerability was found in-house and we haven’t been notified of any potential exploiters.
Additional notes
- Encrypted user data uploaded to the Charm server is safe as Charm servers cannot decrypt user data. This includes filenames, paths, and all key-value data.
- Users running the official Charm Docker images are at minimal risk because the exploit is limited to the containerized filesystem.
For more information
If you have any questions or comments about this advisory:
- Open a discussion
- Email us at [email protected]
- Chat with us on Slack
<a href="https://charm.sh/"><img alt="the Charm logo" src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a>
Charm热爱开源 • Charm loves open source
Server-Side Request Forgery in charm
Critical severity GitHub Reviewed Published May 24, 2022 in charmbracelet/charm • Updated May 24, 2022
Package
gomod github.com/charmbracelet/charm (Go )
Affected versions
>= 0.9.0, < 0.12.1
Description
We’ve discovered a vulnerability in which attackers could forge HTTP requests to manipulate the charm data directory to access or delete anything on the server. This has been patched in charmbracelet/charm@3c90668 and is available in release v0.12.1. We recommend that all users running self-hosted charm instances update immediately.
This vulnerability was found in-house and we haven’t been notified of any potential exploiters.
Additional notes
- Encrypted user data uploaded to the Charm server is safe as Charm servers cannot decrypt user data. This includes filenames, paths, and all key-value data.
- Users running the official Charm Docker images are at minimal risk because the exploit is limited to the containerized filesystem.
For more information
If you have any questions or comments about this advisory:
- Open a discussion
- Email us at [email protected]
- Chat with us on Slack
Charm热爱开源 • Charm loves open source
References
- GHSA-4wpp-w5r4-7v5v
- https://nvd.nist.gov/vuln/detail/CVE-2022-29180
- charmbracelet/charm@3c90668
Severity
CVSS base metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses
GHSA ID
GHSA-4wpp-w5r4-7v5v
Source code
Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.
Related news
A vulnerability in which attackers could forge HTTP requests to manipulate the `charm` data directory to access or delete anything on the server. This has been patched and is available in release [v0.12.1](https://github.com/charmbracelet/charm/releases/tag/v0.12.1). We recommend that all users running self-hosted `charm` instances update immediately. This vulnerability was found in-house and we haven't been notified of any potential exploiters. ### Additional notes * Encrypted user data uploaded to the Charm server is safe as Charm servers cannot decrypt user data. This includes filenames, paths, and all key-value data. * Users running the official Charm [Docker images](https://github.com/charmbracelet/charm/blob/main/docker.md) are at minimal risk because the exploit is limited to the containerized filesystem.