Security Advisory
Path Traversal in elfinder.AspNet and elfinder.NetCore
A path traversal in elfinder.AspNet and elFinder.NetCore allows malicous users to place files outside of the intended directory.
Advisory ID: MLSA-2021-002
CVE: CVE-2021-23415 (elfinder.AspNet), CVE-2021-23428 (elfinder.NetCore)
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: high
Affected versions: all versions
Fixed versions: ≥ 1.1.1 (elfinder.AspNet), unfixed in elFinder.NetCore.
Discovered by: Timo Müller
CVE: CVE-2021-23415 (elfinder.AspNet), CVE-2021-23428 (elfinder.NetCore)
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: high
Affected versions: all versions
Fixed versions: ≥ 1.1.1 (elfinder.AspNet), unfixed in elFinder.NetCore.
Discovered by: Timo Müller
Produkt Description
elFinder is an open-source file manager for web, written in JavaScript using jQuery and jQuery UI. This repo is a 3rd party volume driver for .NET and is derived from project elFinder.NetCore which itself was derived from the earlier work of the Elfinder.NET project.
Details
When renaming files, elfinder.AspNet and elFinder.NetCore do not sanitize the provided file name. By using a “../” sequence in the file name, it is possible to place files outside of the intended directory.
Coordinated Disclosure Timeline
- 30/06/2021 Issue reported to Synk, which handled the vulnerability disclosure and assigned a CVEs.
- 10/07/2021 GitHub commit with mitigation (elfinder.AspNet).
- 28/07/2021 Public disclosure (elfinder.AspNet).
- 20/08/2021 Public disclosure (elfinder.NetCore).