CVE-2023-36822

Name of the Vulnerable Software and Affected Versions Uptime Kuma versions prior to 1.22.1

Description A path traversal vulnerability allows an authenticated attacker to delete files on the server, leading to unavailability and potentially data loss. Uptime Kuma allows authenticated users to install plugins from an official list of plugins, although this feature is currently disabled in the web interface. The corresponding API endpoints are still available after login. Before a plugin is downloaded, the plugin installation directory is checked for existence, and if it exists, it's removed before the plugin installation. Because the plugin is not validated against the official list of plugins or sanitized, the check for existence and the removal of the plugin installation directory are prone to path traversal. This vulnerability enables an authenticated attacker to delete files from the server Uptime Kuma is running on, potentially causing Uptime Kuma or the whole system to become unavailable due to data loss.

Recommendations For versions prior to 1.22.1, update to version 1.22.1 or later to resolve the issue. As a temporary workaround, consider disabling the plugin installation feature until a patch is available. Restrict access to the API endpoints related to plugin installation to minimize the risk of exploitation. Avoid using the plugin installation directory in a way that could lead to path traversal until the issue is resolved.