CVE-2024-53844

Name of the Vulnerable Software and Affected Versions: EDDI (Enhanced Dialog Driven Interface) versions prior to 5.4

Description: A path traversal vulnerability exists in the backup export functionality of EDDI, as implemented in RestExportService.java. This vulnerability allows an attacker to access sensitive files on the server by manipulating the botFilename parameter in requests. The application fails to sanitize user input, enabling malicious inputs such as ..%2f..%2fetc%2fpasswd to access arbitrary files. However, the severity of this vulnerability is significantly limited because EDDI typically runs within a Docker container, which provides additional layers of isolation and restricted permissions. As a result, while this vulnerability exposes files within the container, it does not inherently threaten the underlying host system or other containers.

Recommendations: For versions prior to 5.4, upgrade to version 5.4, which contains the necessary patch to sanitize and validate the botFilename input parameter. As a temporary workaround, consider restricting access to the vulnerable endpoint through firewall rules or authentication mechanisms.