### Key Information #### Vulnerability Overview - **Vulnerability Name**: Unrestricted File Upload and Path Traversal to Remote Code Execution in Airsonic Advanced - **Severity**: Medium - **CVE ID**: CVE-2021-39867 - **CWE IDs**: CWE-434, CWE-22, CWE-506 #### Affected Scope - **Affected Components**: - Web UI: 'Upload playlist' function - Server: File handling for uploaded playlists and path resolution - Application server: Tomcat auto-deployment behavior for .war files #### Technical Details - **Root Cause**: Lack of validation and sanitization for uploaded file paths, allowing unauthorized users to upload files to arbitrary directories. - **Exploitation Steps**: 1. Log in using an authenticated Airsonic user account. 2. Navigate to the 'Upload playlist' feature. 3. Upload a .war file containing malicious code. 4. Tomcat automatically deploys the .war file, executing the embedded malicious code. #### Evidence - Screenshots showing the file upload process via the web interface, along with server logs confirming the acceptance and storage of the uploaded file. - Terminal screenshots demonstrating successful execution of the malicious code. #### Security Analysis - **Root Cause**: Absence of file type validation and path control for uploaded files. - **Related Weaknesses**: CWE-434, CWE-22, CWE-506 #### Remediation Recommendations - **Short-term Mitigations**: - Block paths containing specific patterns. - Disable deployment of certain application types. - Disable Tomcat’s `autoDeploy` and `deployOnStartup` features. - **Long-term Fixes**: - Implement strict file type validation, normalization, and sanitization on the server side. - Update the application to use more secure configuration options. #### Timeline - 2021-09-06: Initial discovery - 2021-09-08: Attempted contact with vendor - 2021-09-10: Public disclosure - 2021-09-14: CVE ID assigned