Rapid7 · Rapid7 Velociraptor · CVE-2023-0290
**Name of the Vulnerable Software and Affected Versions**
Rapid7 Velociraptor versions prior to 0.6.7-5
**Description**
The issue allows a directory traversal where the collection task could be written by not properly sanitizing the client ID parameter to the "CreateCollection API". This could be exploited by providing a client ID of "../clients/server" to schedule the collection for the server, requiring only privileges to schedule collections on the client. Normally, scheduling an artifact on the server requires the "COLLECT SERVER" permission, which is typically granted to the "administrator" role. However, due to this issue, having the "COLLECT CLIENT" privilege, normally granted to the "investigator" role, is sufficient. To exploit this, an attacker must have a Velociraptor user account at least at the "investigator" level and be able to authenticate to the GUI and issue an API call to the backend.
**Recommendations**
For versions prior to 0.6.7-5, update to version 0.6.7-5 or later to fix the issue. As a temporary workaround, consider restricting access to the "CreateCollection API" or limiting the privileges of the "investigator" role until the update can be applied. Additionally, restrict the use of the `client ID` parameter to prevent directory traversal attacks.