FastapiAdmin <=2.2.0 Path Traversal Information Disclosure Vulnerability

From this webpage screenshot, the key vulnerability information obtained is as follows: Title: fastapiadmin <= 2.2.0 Path Traversal: '/absolute/pathname/here' Description: - An unrestricted file download vulnerability exists in FastapiAdmin (<=2.2.0) at the /api/v1/common/file/download path (utilizing /backed/app/api/v1/module_common/file/controller.py, /backed/app/api/v1/module_common/file/service.py, /backend/app/utils/upload_util.py). - The vulnerability stems from the download endpoint accepting arbitrary file_path parameters without performing path validation or normalization, instead directly using Path(file_path) to open and stream files. - Any user with module_common:file:download permissions can provide absolute paths or traversal payloads to read sensitive server files (such as /etc/passwd or private keys), leading to information disclosure and further attacks. - Mitigation measures include enforcing path validation and normalization, restricting downloads to secure upload directories, mapping logical IDs to files, disabling absolute paths and traversal sequences, file-level permission validation, and serving files through controlled secure APIs or signed, short-lived download tokens. Source: https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-2 User: Anonymous User Submission: 2021/02/11 06:13 AM (12 days ago) Moderation: 2021/02/22 04:09 PM (11 days later) Status: Accepted VulDB entry: [347360] [FastApiAdmin up to 2.2.0 Download Endpoint controller.py download_controller file_path information disclosure] Points: 20

Goal Reached Thanks to every supporter — we hit 100%!

FastapiAdmin <=2.2.0 Path Traversal Information Disclosure Vulnerability