Miggo Logo

CVE-2019-13915: b3log Wide unauthenticated file access

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.55665%
Published
5/24/2022
Updated
8/25/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/b3log/widego< 1.6.01.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability describes three attack vectors: ZIP symlink extraction, Git repository symlink imports, and code execution abuse.

  1. ZIP handling: The file.handleZipUpload function likely uses Go's archive/zip without sanitizing filenames or checking for symlinks, enabling path traversal.
  2. Git imports: git.ImportRepository would clone repositories without validating symlinks, mirroring the ZIP issue.
  3. Code execution: playground.CompileAndRun likely uses os/exec to run user code without proper sandboxing, allowing file reads via Go code injection. These functions align with the described CWE-59 and CWE-74 patterns and standard Go file-handling pitfalls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**lo* Wi** ***or* *.*.* *llows t*r** typ*s o* *tt**ks to ****ss *r*itr*ry *il*s. *irst, t** *tt**k*r **n writ* *o** in t** **itor, *n* *ompil* *n* run it *pproxim*t*ly t*r** tim*s to r*** *n *r*itr*ry *il*. S**on*, t** *tt**k*r **n *r**t* * symlink,

Reasoning

T** vuln*r**ility **s*ri**s t*r** *tt**k v**tors: ZIP symlink *xtr**tion, *it r*pository symlink imports, *n* *o** *x**ution **us*. *. ZIP **n*lin*: T** `*il*.**n*l*ZipUplo**` *un*tion lik*ly us*s *o's `*r**iv*/zip` wit*out s*nitizin* *il*n*m*s or *