CVE-2020-12478

Vulnerability

Overview

CVE-2020-12478 affects TeamPass version 2.1.27.36, a collaborative password manager. The vulnerability stems from insufficient access controls on the web server, allowing any unauthenticated user who can interact with the instance to retrieve files from the web root [1][3]. Specifically, sensitive directories such as upload/, backups/, files/, and avatars/ are exposed without authentication, and directory listing may be enabled, making it easier to discover hashed filenames [3].

Attack

Vector

An unauthenticated attacker with network access to the TeamPass web server can simply send HTTP GET requests to known file paths, for example curl http:///teampass/files/ldap.debug.txt [3]. The vulnerability does not require any authentication or prior knowledge; the attacker can enumerate or guess paths to retrieve stored files, including user-uploaded content, backup archives, and generated PDFs [3].

Impact

Successful exploitation can lead to the disclosure of sensitive data stored within TeamPass. This includes encrypted file uploads, profile pictures, database backups, and LDAP debug logs that may contain credentials or configuration details [1][3]. Although uploads are encrypted, an attacker could retrieve them for offline analysis; plain-text backups or debug files present a direct information disclosure risk. The exposure of backup files could lead to full credential compromise if encryption keys are also obtainable.

Mitigation

Status

The issue was reported via GitHub and fixed in subsequent releases. Users are advised to upgrade to a patched version of TeamPass (2.1.27.37 or later). Administrators should also disable directory listing on the web server and restrict access to sensitive directories only to authenticated users [2][3].