Name of the Vulnerable Software and Affected Versions:

Harness Open Source versions prior to 3.3.0

Description:

Harness Open Source’s git Large File Storage (LFS) server (Gitness) exposes APIs for retrieving and uploading files via git LFS. The implementation of the upload git LFS file API is susceptible to arbitrary file write due to improper sanitization of the upload path. An authenticated user with access to the Harness Gitness server API can craft a malicious upload request to write arbitrary files to any location on the file system, potentially compromising the server. Users utilizing git LFS are affected.

Recommendations:

Upgrade to version 3.3.0 to resolve this issue.