etcd-browser 87ae63d75260 Directory Traversal

An issue was discovered in server.js in etcd-browser 87ae63d75260. By
supplying a /…/…/…/ Directory Traversal input to the URL’s GET
request while connecting to the remote server port specified during
setup, an attacker can retrieve local operating system files from the
remote system.

---

[Vulnerability Type]
Directory Traversal

---

[Vendor of Product]
https://hub.docker.com/r/buddho/etcd-browser

---

[Affected Product Code Base]
etcd-browser - Unknown

---

[Affected Component]
the server.js file does not validate the path for files.

---

[Attack Type]
Remote

---

[Impact Information Disclosure]
true

---

[CVE Impact Other]
Allow for a remote arbitrary user to obtain local operating system files

---

[Attack Vectors]
The attacker must supply a /…/…/ technique to the server application
running on the remote port specified during setup

---

[Reference]
https://hub.docker.com/r/buddho/etcd-browser
https://hub.docker.com/r/buddho/etcd-browser/tags

---

[Discoverer]
Kevin Randall