Kazuhiro Nishiyama

Name of the Vulnerable Software and Affected Versions: Hiki versions 0.8.0 through 0.8.6 Description: The issue concerns multiple vulnerabilities in the Hiki package of the Debian GNU/Linux operating system, which can be exploited remotely to compromise the integrity and availability of protected information. Specifically, a directory traversal vulnerability in session.rb allows remote attackers to delete arbitrary files via directory traversal sequences in the `session ID`, which is matched against an insufficiently restrictive regular expression before it is used to construct a filename that is marked for deletion at logout. Recommendations: For Hiki versions 0.8.0 through 0.8.6, consider updating to a version outside of this range to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the `session.rb` file to minimize the risk of exploitation. Avoid using the `session ID` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.