CVE-2016-10528

Name of the Vulnerable Software and Affected Versions restafary versions prior to 1.6.1

Description The issue concerns a directory traversal vulnerability. When a root path is specified in the configuration, the vulnerability allows access beyond the intended directory. This can be exploited by manipulating the URL path to access files outside the specified root directory. For example, using the API endpoint "http://localhost:8000/api/v1/fs/.." to access sensitive files such as "/etc/passwd".

Recommendations Update to version 1.6.1 or later. As a temporary workaround, consider restricting access to the API endpoint "/api/v1/fs/" to minimize the risk of exploitation. Avoid using the ".." notation in the URL path for the affected API endpoint until the issue is resolved.