CVE-2022-25377

Name of the Vulnerable Software and Affected Versions Appwrite versions 0.5.0 through 0.12.x before 0.12.2

Description The issue allows remote attackers to read arbitrary local files via ../ directory traversal in the "ACME-challenge" endpoint. This vulnerability requires the existence of APP STORAGE CERTIFICATES/.well-known/acme-challenge on disk, which is automatically created when installing Let's Encrypt certificates via Appwrite.

Recommendations For Appwrite versions 0.5.0 through 0.12.x before 0.12.2, update to version 0.12.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "ACME-challenge" endpoint or removing the APP STORAGE CERTIFICATES/.well-known/acme-challenge directory if Let's Encrypt certificates are not needed.