Skip to content

Unauthenticated access to files within the 'manager' directory

High
edalex-ian published GHSA-79w4-xjfh-9rmf Nov 4, 2020

Package

No package listed

Affected versions

< 6.6, < 6.6r35, < 2018.2r49, < 2019.1.7, < 2019.2.5, < 2020.1.5

Patched versions

6.6r37, 2018.2r52, 2019.1.7, 2019.2.5, 2020.1.5, 2020.2+

Description

Impact

If a standard installation of openEQUELLA has overly permissive file permissions on the manager directory, all files within that directory (and sub directories) are publicly accessible. Further, in customised cases (.e.g. where oEQ is manually run as a JAR via java -jar) it is possible to access files and directories within the working directory. (There are a number of files within the manager directory which contain sensitive information - credentials and possible general configuration.)

Patches

There is a patch available for all versions of oEQ starting at 6.6. Please ensure you upgrade to the latest version, or at least:

  • 6.6r37
  • 2018.2r52
  • 2019.1.7
  • 2019.2.5
  • 2020.1.5

Version 2020.2.0 when released will include the fix.

Workarounds

Ensure all files within the manager directory (or under custom situations, the working directory) have permissions such that the user which the openEQUELLA process is running as does not have access.

Alternatively, names of known files and directories could be blocked by configuration of any fronting reverse proxies or load balancers. (Specific configuration will depend on each instances unique configuration.)

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

No known CVE

Weaknesses

No CWEs