CVE-2024-45388

Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The `/api/v2/simulation` POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server. Note that, although the code prevents absolute paths from being specified, an attacker can escape out of the `hf.Cfg.ResponsesBodyFilesPath` base path by using `../` segments and reach any arbitrary files. This issue was found using the Uncontrolled data used in path expression CodeQL query for python. Users are advised to make sure the final path (`filepath.Join(hf.Cfg.ResponsesBodyFilesPath, filePath)`) is contained within the expected base path (`filepath.Join(hf.Cfg.ResponsesBodyFilesPath, "/")`). This issue is also tracked as GHSL-2023-274.
Configurations

Configuration 1 (hide)

cpe:2.3:a:hoverfly:hoverfly:*:*:*:*:*:*:*:*

History

19 Sep 2024, 15:18

Type Values Removed Values Added
CWE CWE-22
First Time Hoverfly
Hoverfly hoverfly
References () https://codeql.github.com/codeql-query-help/go/go-path-injection - () https://codeql.github.com/codeql-query-help/go/go-path-injection - Not Applicable
References () https://github.com/SpectoLabs/hoverfly/releases/tag/v1.10.3 - () https://github.com/SpectoLabs/hoverfly/releases/tag/v1.10.3 - Release Notes
References () https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-6xx4-x46f-f897 - () https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-6xx4-x46f-f897 - Exploit, Vendor Advisory
References () https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/handlers/v2/simulation_handler.go#L87 - () https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/handlers/v2/simulation_handler.go#L87 - Product
CPE cpe:2.3:a:hoverfly:hoverfly:*:*:*:*:*:*:*:*

03 Sep 2024, 12:59

Type Values Removed Values Added
Summary
  • (es) Hoverfly es una herramienta liviana de simulación de API/virtualización de servicios/simulación de API para desarrolladores y evaluadores. El controlador POST `/api/v2/simulation` permite a los usuarios crear nuevas vistas de simulación a partir del contenido de un archivo especificado por el usuario. Un atacante puede abusar de esta característica para leer archivos arbitrarios del servidor Hoverfly. Tenga en cuenta que, aunque el código evita que se especifiquen rutas absolutas, un atacante puede escapar de la ruta base `hf.Cfg.ResponsesBodyFilesPath` mediante segmentos `../` y llegar a cualquier archivo arbitrario. Este problema se encontró utilizando la consulta CodeQL de expresión de ruta de datos no controlados para Python. Se recomienda a los usuarios asegurarse de que la ruta final (`filepath.Join(hf.Cfg.ResponsesBodyFilesPath, filePath)`) esté contenida dentro de la ruta base esperada (`filepath.Join(hf.Cfg.ResponsesBodyFilesPath, "/")`). Este problema también se registra como GHSL-2023-274.

02 Sep 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-02 18:15

Updated : 2024-09-19 15:18


NVD link : CVE-2024-45388

Mitre link : CVE-2024-45388

CVE.ORG link : CVE-2024-45388


JSON object : View

Products Affected

hoverfly

  • hoverfly
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor