CVE-2020-15239

Name of the Vulnerable Software and Affected Versions xmpp-http-upload versions prior to 0.4.0

Description The issue allows attackers to read files with a .data suffix and accompanied by a JSON file with the .meta suffix when the GET method is attacked. This can lead to Information Disclosure and in some shared-hosting scenarios also to circumvention of authentication or other limitations on the outbound traffic. In a scenario where a single server has multiple instances of the application running, an attacker who has knowledge about the directory structure is able to read files from any other instance to which the process has read access. If instances have individual authentication or other restrictions, attackers may circumvent those limits by using the Directory Traversal to retrieve data from the other instances. If the associated XMPP server or anyone knowing the SECRET KEY is malicious, they can write files outside the DATA ROOT, constrained to have the .meta and the .data suffixes.

Recommendations For versions prior to 0.4.0, upgrade to version 0.4.0 to resolve the issue. As a temporary workaround, consider configuring Apache to filter malicious paths when reverse-proxying. Restrict access to sensitive files and directories to minimize the risk of exploitation. Avoid using the SECRET KEY in insecure contexts until the issue is resolved.