漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
Vulnerability Description
Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Budibase 路径遍历漏洞
Vulnerability Description
Budibase是英国Budibase开源的一个用于在几分钟内创建内部应用程序、工作流和管理面板的低代码平台。 Budibase 3.33.4之前版本存在路径遍历漏洞,该漏洞源于插件文件上传端点缺少路径遍历序列清理,可能导致具有全局构建者权限的攻击者删除或写入任意文件。
CVSS Information
N/A
Vulnerability Type
N/A